We take the security of this project seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
Do not submit security issues through GitHub Issues, Discussions, or Pull Requests.
If you believe you have discovered a security vulnerability, please submit it through GitHub’s private and encrypted reporting system:
- Open the Security tab of this repository
- Click “Report a vulnerability”
- Include a clear description, impact assessment (if known), and steps to reproduce
You can also open a private vulnerability report directly: https://github.com/klaasnicolaas/python-spoolman/security/advisories/new
This mechanism is the preferred and most secure way to report vulnerabilities, consistent with best practices across open-source projects.
Security vulnerabilities include issues that could affect users of this Python package, such as unsafe handling of remote API data, credential exposure, dependency-related vulnerabilities, or behavior that could allow unintended access to local or remote resources.
After receiving your report, maintainers will:
- Review the submitted information
- Request additional details if necessary
- Investigate and work toward a fix or mitigation
- Communicate with you throughout the process
Maintainers aim to acknowledge vulnerability reports within 7 days when possible. After confirmation, we will work on a fix or mitigation and coordinate disclosure with the reporter.
For confirmed vulnerabilities, we generally aim to coordinate disclosure within 90 days. This is not a guaranteed deadline; the timeline may be shorter or longer depending on severity, exploitability, maintainer availability, and release coordination needs.
To protect the community, please:
- Avoid publicly disclosing the vulnerability until a fix has been released
- Limit testing or reproduction to what is necessary for your report
- Follow coordinated disclosure norms commonly used in open source
We appreciate your contribution to keeping this project secure!