We take the security of OCSF Console IR seriously. Please follow this policy to report vulnerabilities responsibly.
We maintain the latest main branch. Report issues against the current codebase.
- Do NOT open a public GitHub issue for suspected vulnerabilities.
- Use GitHub Security Advisories (preferred) to privately disclose:
- Go to the repository page → Security → Report a vulnerability.
- Alternatively, you may contact the maintainers via the repository's Security Advisories private channel.
Please include:
- A clear description of the issue and potential impact
- Steps to reproduce (PoC, affected configuration)
- Environment details (OS, Go version, build info)
- Any suggested remediation
We aim to acknowledge within 72 hours and provide a timeline for remediation after triage.
- Triage: We confirm the issue and assess severity.
- Fix: We implement and test a patch.
- Coordination: We may request more details and coordinate disclosure.
- Release: We publish a fix and release notes with appropriate credit.
- Advisory: We publish a security advisory with CVSS (if applicable).
- Vulnerabilities in the core CLI, TUI, internal packages, and official plugins (plugins/*).
- Misconfigurations or unsafe defaults that materially increase security risk.
- Social engineering attacks
- DoS requiring unrealistic resource exhaustion or non-default flags
- Vulnerabilities only present in unsupported/modified builds
We support responsible security research conducted in good faith. Do not exfiltrate data, cause disruption, or access accounts/data you do not own. Follow applicable laws.
We publish advisories and fixes through GitHub Releases and Security Advisories. Please wait for coordinated disclosure before public blogging or tweeting about an issue.