Thank you for taking the time to responsibly disclose any problems you find.
Do not file public issues as they are open for everyone to see!
All security vulnerabilities in melody.kit should be reported by email
to [email protected].
Your report will be acknowledged within 24 hours, and you will receive a more
detailed response within 48 hours indicating the next steps in handling your report.
You can encrypt your report using our public key:
3A01BF65BC0D38CF4CF76EB3F04B373881F4291E.
This key is also available on MIT's Key Server
and reproduced below.
After the initial reply to your report, the core team will try to keep you informed of the progress being made towards a fix and official announcement. These updates will be sent at least every five days. In reality, this is more likely to be every 24-48 hours.
melody.kit has a 5-step disclosure process:
-
The security report is received and is assigned a primary handler. This person will coordinate the fix and release process.
-
The problem is confirmed and a list of all affected versions is determined.
-
Code is audited to find any potential similar problems.
-
Fixes are prepared for all releases which are still under maintenance. These fixes are not committed to the public repository but rather held locally pending the announcement.
-
On the embargo date, the changes are pushed to the public repository and new builds are deployed.
This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the issue in as timely a manner as possible, however it is important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGVaCaMBEADO6afdNTPH230fsriDj31XSO7DK+IgvvLA7C6MgwdtotFiFnh4
q/wdM4snadnqA05Rqd3alXcFa5STO/k3GyefQmIRGGSadHTw5bRWwqJ1+l6cY0e7
BisqD5xdyc4TLWVI83zwdTDIu/4+rSc2eVGRUOawAmZyQqxeCCqoPmrQq8+UOqHj
wv0b+Fz3zw1FwS2EQ2OZ6Lo8MaDroUWHq4GlJnD9eBUxhWsr/BTDFrs1GlW+RC7k
K662fRXHKSa2OXECF1WoZWgg+XIa7GY60Hyfr7pxkpJVJBAr7E3diHFvwhS5GZHN
a6srWOxQ+mYUi2rXfx9AxrlKJc0eZK/sMFgnY71ETvILptQ15yi2VFINdcIuO0Je
O7WeGkWd9Aa2TQ1uVtgCnmQ9paIJwb5MUXZ7FSAe95gYNEc55Tb24ByI+CVmynnu
Lgjg6wAwzBgbHhx9OQ/piWmoXBth/9kzoZb6KALqRwFn8icIxd4WfCWq9KyHR6SS
EV+klVOjNVy6/sL5ri9jL/kwZrti8N+R+Nlr+wKGdLaio7KZxvIxLX0pBsiycR6e
B7fc2L8OzI/VERp6rAI/QDq9T/rZ2eScOGpYqLDRrYaDWYZePdba+QKJ2lD1xgA+
DMiaQ6JmRHSPYa9pOJEhu0Yvb0xqfgYS6ogGKzrB9t9kfWdCZokIrPNfrwARAQAB
tC1NZWxvZHlLaXQgKHNlY3VyaXR5KSA8c2VjdXJpdHlAbWVsb2R5a2l0LmFwcD6J
Ak4EEwEKADgWIQQ6Ab9lvA04z0z3brPwSzc4gfQpHgUCZVoJowIbAwULCQgHAgYV
CgkICwIEFgIDAQIeAQIXgAAKCRDwSzc4gfQpHu2CD/9L8M2fD5GW4+vr8Cnl2shW
pynLPibeN5K+/I74a2aQAtZh/yN4POy+RZV0FZsqgEZs/cnpa20B2//T/FAfRWyq
ObLxZhjIkQnkmqQtiApsun3Bzj00wjgL/JF/21wc1DjEbzNj0ChuOVFoG7aT/ymv
1zK3raSie7WVJfZNpmfNWFUNVc4ia4oBWi0P6cNkTPKirubSEXxbF7rreMh5Qq5H
PJeA60v8Ew58vDvCM4ArhWcaWYFJMsgCw5SGed/QvTPbmyP9/S4sT4uUyPtSCSlv
rwKLv9ChInDZQqqw5xl+YAsjtoUbZehTzqPU3W45RN4qfGY2rJKobDq31EWgHyBJ
mU81qcMle4nmjvyexgAKjIeBwvMmW0FMnr/KzJFbVLzMX+xa7qmwepIAgbLL+kcU
JOxRzWfaY6rF7NBHR/YyDCgNep86fA4TdeP6+iX5mOBO8bIld6N8tRDWfl0A5ZE7
urujeoNkRtgVI1haTHRUPxfap2eGFpEMqw2LEWjJXi1hk0cfCSUMVauiwCAx6Dz4
LOvaiW+LgJeztSlG1HAyfPkg/5EOEHP42ryNvIBiR2GNvT0isw9TBCw9uVHFzcaR
s4PFULyIX6i6dunbyxMS11GwtObwBacIFbyFeEvEoQa+U68nMDo/vpzk2VwWGD/S
3NjpAlWn5wUe2AL1Fr7HQ7kCDQRlWgmjARAA5hogtneAvmFEdMhdiS3CK8Ahxfkx
q0baED5vvsGCQVUHDDg7vHqvju489XPDfLlfizCf6j8uzWKUWWUzFEA4Qk4BxK0B
OyKWWyfGDy/rt3ALISZtXMvBrXUPWSMwLOc81k7Zg1F5WuKwaKpql7paXgYgnkPH
NPnwTqTKQ/SptoozArwppiOt/1sEpQ203DKc8TijBJ6CjrXZpi1fwK/q5NuNu9Lb
KNWq8UmL9IauyORF1MEiNaGfAVfgv8KfPizRvEkVvlEaDmz7raFOpSOCCRc0gcdu
KjBfmgSNK7b9ywhlyOQNIRaM6MAA6+43+kAOwl2DAF79eX4unx5Ucvun4gWP9Ach
XWNt8Kb/lT5XtD99g/0Zh01eyMQq2/lbIB4f6qweTYOcfcj7HGYOWZGu5DGKeFMg
dB4QkM+3EBml/bjIYtEtKxzmUQOo1eY+X6U9SwfbIsifxHp8pIlGCLr8zm1hXXU0
Jy2yEeksRbEqDX5dHxbrrJIik7dSbrDWATYvUSHL5yJlyzhQuDbb2yZOBq0bEtJO
1X7ZSb0+cYZiRA//bsOOF9eGy3gNPIn+SVbg+L7dia5H4fXCrLM83vUAo8+jE1kE
sMH2ZyN1SfuJsxufjH3NZJRpRHXCkvE9sd1yXEBTIjy8eSQj1e2MPGcXB8dAxQOJ
6LzwuSeqAC8mgQkAEQEAAYkCNgQYAQoAIBYhBDoBv2W8DTjPTPdus/BLNziB9Cke
BQJlWgmjAhsMAAoJEPBLNziB9CkeXuEP/1DmWtItzF9QNPjgJftoeLHp7uJ7TSIA
/nuAeOsPFTNFOeo5RfDz42HUGOIzAISf/D1gv7lnn9L1J7bStpk8DZLEUEne3OM+
fivpdsjGhgu3+m9k9HgRoPT9aKH0oe1N4pn/W5+4MjDAeN4lDJBzmLHTkPE5I+Nl
rek/ovLE/hmDQcjz+Ap++SCuv+K0SvGxTwisx9w0gdXDuDLwMF3kSFbAoKjtKL9U
6YCRVX92cT1u7RtYEY2Xbq0Y9c9ASjlO44/60FUvWI725FNdcW24e3Xuyz1Y+ziz
RNO6SnAlInEWd0yjrM8he1kOxoWZD5RW8skRmx7t5AKzUA3DH4sSKahVGKrbP4LM
/2OTwQ7wf4a67oY+/knID4mlZCbt3mtHuiWFyx1GEc8wvhVjLzz/p6HtX903CCy4
UrLDIvPtgCGTAr7MMbTwebFHTGDRueV072Gh9cAco2BtXwKx/ASiYrQiXMSNS+ku
/e9WnyGYqduwdw3peN72PY5Mf0hGq4WiS+g3kSVXUgMBL5EPK594EO1XIkJuDEER
lQGzDd9nEpFEhyC/Amvw+NW2bAhE3PqWJRcZrjQ9xAxda3BNJ/EfoZtqbKdLe9oT
2KlenikKXnaGN7wTy/HFYZTdokFC/p+Yb/0wBCjx36ibo7p5IiGVIzOL2MybIceI
pLlMT39C0Pm5
=O4mq
-----END PGP PUBLIC KEY BLOCK-----
This Security Policy is adapted from Rust's Security Policy.