This document describes the security policy and reporting procedures for the Hyper project.
If you want to report a bug which is not security sensible, please submit an issue.
Our team takes all security issues in Hyper seriously. If you want to report a security issue we appreciate your effort and kindly ask you to submit a responsible disclosure. Hyper does not offer a bug bounty programme or other forms of monetary compensation yet. Also, we can acknowledge your effort publicly in the GitHub project. Thank you for improving the security of the Hyper project!
Report security issues via email at hyper-security@kiprotect.com.
The Hyper team will try to acknowledge your email within 24 hours and will further respond in detail within 48 hours, explaining the induced actions. Our security team will keep you up to date of the progress towards fixing the vulnerability and may ask you for additional information.
Please report security issues in third-party dependencies to the person or team maintaining the project for this dependency.
Please note that we will ignore beg bounties, i.e. vague e-mails asking for compensation in exchange for disclosing a security issue.
When we receive a security bug report, we will assign it to a person who handles your disclosure. This person is responsible for the following steps of the fix process:
- Confirm the problem and identify affected versions
- Audit code for finding similar problems
- Develop fixes for all affected versions
- Release fixes as quick as possible
Feedback on this policy and the process is welcome and if you want to suggest how to improve it, we kindly ask you to submit a pull request.