Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 0.x.x | ✅ |
When reporting a vulnerability which effects any of the following:
- Privacy of end users
- Security of end users
- Access to secure assets (documents, etc, which are owned by the app)
Please send your report directly to [email protected], and I will create an issue. You will receive full (public) credit for the vulnerability once the patch hits production and all major public versions of Phantom are updated.
If your vulnerability doesn't effect any of those key issues, please create a standard issue within this repository in Github. If the issue doesn't effect any of those key issues, but you feel the severity is such that it needs to be patched before it is made public, you can still contact us directly via email at your discretion.
We will never mock, ignore or otherwise mistreat you for taking an issue seriously, even if we don't feel it warranted secret disclosure. Ultimately, the security and privacy of our users is our prime concern.
Please note that in the event of a CVE or other issue which effects the security of Phantom (or any Phantom plugins created by the SAFEPublishing group), users of the effected application will be notified within 24 hours of discovery.
The following chain of events will happen, in order:
- We will diagnose the vulnerability within 24 hours and attempt to provide a fix.
- If we are able to provide a fix, we will first update the
safe://phantomapplication, then publicise the vulnerability on our SAFE Forum page, and the Phantom blog located atsafe://phantomblog - If we are unable to provide a fix, we will publicize the vulnerability on our SAFE Forum page, and the Phantom blog located at
safe://phantomblog, along with mitigation strategies and a timeline for the fix.