This document outlines the general security procedures and policies for the Sum GitHub repo.
Please report security vulnerabilities to us via the built-in GitHub Advisories. We will strive to respond to your report as quickly as possible. To protect our users, we kindly ask that you allow the vulnerability to be fixed before disclosing it publicly.
When reporting an issue, please provide the following information:
- The duration the vulnerability has existed in the project (e.g., commit version)
- Affected component(s)
- A description of the vulnerability, its impact, and instructions on how to reproduce it
- Recommended remediations
- (Optional) Code, screenshots, or videos of the vulnerability (but no executable binaries)
We will use GitHub Security Advisory to communicate during the process of identifying, addressing, and deploying a fix for the vulnerability.
The advisory will be made public once the patched version is released, to inform the community of the issue and its potential security impact.
The following items are not in scope:
- High-volume vulnerabilities, such as overwhelming the service with requests, DDoS, brute force attacks, etc.
- Vulnerabilities from outdated versions of the project
- Spam reports
- Self Cross-Site Scripting (XSS) (user-defined payload)
- Social engineering
- Phishing attempts
- Third-party systems not directly under our control
We do not offer financial compensation for reporting vulnerabilities. However, we deeply appreciate your efforts and will credit you in the fix, expressing our eternal gratitude.