Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

Use GitHub's built-in private vulnerability reporting feature: https://github.com/bearbinary/jarvy/security/advisories/new

Email: security@jarvy.dev (or open a private advisory if email is unavailable)

• Initial response: Within 48 hours
• Status update: Within 5 business days
• Resolution target: Within 90 days (depending on severity)

If you do not receive a response within 48 hours, please follow up via email or create a new private advisory to ensure we received your original report.

Please provide the following information to help us triage and respond effectively:

• Type of issue: (e.g., command injection, path traversal, privilege escalation, etc.)
• Affected component: (e.g., tool installation, hook execution, config parsing)
• Full paths of source file(s) related to the issue
• Location: Tag/branch/commit or direct URL to affected source code
• Step-by-step reproduction instructions
• Proof-of-concept or exploit code (if available)
• Impact assessment: How an attacker might exploit this vulnerability
• Suggested fix: (if you have one)

This project implements comprehensive security practices:

• cargo-audit: RustSec advisory database scanning for known CVEs
• cargo-deny: License compliance, advisory scanning, and crate bans
• Semgrep: Custom security rules for Rust code patterns
• CodeQL: GitHub-native semantic analysis

• GitHub Secret Scanning: Native detection of leaked credentials
• Gitleaks: Pre-commit and CI scanning for secrets

• Automated vulnerability scanning: Daily checks against RustSec database
• License compliance: All dependencies must have OSS-compatible licenses
• Source restrictions: Only crates.io registry allowed (no arbitrary git deps)

• Signed releases: All release artifacts signed with Sigstore (cosign)
• SBOM generation: SPDX and CycloneDX Software Bill of Materials
• Build provenance: SLSA Level 2+ attestation via GitHub Actions
• Reproducible builds: Deterministic build process

We maintain an OpenSSF Scorecard for public security posture reporting:

• Target score: 8.0+ out of 10
• Badge displayed in README

Dependencies must use one of the following licenses:

• MIT
• Apache-2.0
• BSD-2-Clause
• BSD-3-Clause
• ISC
• Zlib
• CC0-1.0
• Unlicense
• MPL-2.0 (weak copyleft, file-level only)

GPL, AGPL, SSPL, and proprietary licenses are blocked.

All releases are signed with Sigstore. To verify:

# Install cosign
brew install cosign  # or see https://docs.sigstore.dev/cosign/installation

# Download release artifact and signature
curl -LO https://github.com/bearbinary/jarvy/releases/download/v1.0.0/jarvy-linux-x86_64.tar.gz
curl -LO https://github.com/bearbinary/jarvy/releases/download/v1.0.0/jarvy-linux-x86_64.tar.gz.sig
curl -LO https://github.com/bearbinary/jarvy/releases/download/v1.0.0/jarvy-linux-x86_64.tar.gz.pem

# Verify signature
cosign verify-blob \
  --signature jarvy-linux-x86_64.tar.gz.sig \
  --certificate jarvy-linux-x86_64.tar.gz.pem \
  --certificate-identity-regexp "https://github.com/bearbinary/jarvy" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  jarvy-linux-x86_64.tar.gz

# Download checksums file
curl -LO https://github.com/bearbinary/jarvy/releases/download/v1.0.0/SHA256SUMS.txt

# Verify
sha256sum -c SHA256SUMS.txt

When using Jarvy:

1. Review jarvy.toml before running: Especially when using third-party configs
2. Review hooks before execution: Use --dry-run to preview what will run
3. Use --no-hooks when running untrusted configurations
4. Keep Jarvy updated: Security fixes are released promptly
5. Verify downloads: Check signatures and checksums for manual installs

We thank the following individuals for responsibly disclosing security issues:

If you've reported a security issue and would like to be acknowledged, please let us know in your report.

For security-related questions or concerns:

• Private advisory: https://github.com/bearbinary/jarvy/security/advisories/new
• Email: security@jarvy.dev

For general questions, please use GitHub Discussions.