Security fixes are applied to the latest main branch.
Please do not open public issues for vulnerabilities.
Use private reporting:
- GitHub Security Advisory (preferred)
- Or contact the repository owner: https://github.com/DickHorner
Please include:
- Affected component/path
- Reproduction steps
- Expected vs actual behavior
- Impact assessment (confidentiality/integrity/availability)
- Suggested mitigation (optional)
- Initial acknowledgement: within 5 business days
- Confidential triage response: within 14 days
- Coordinated remediation and disclosure plan after patch readiness
- Publicly known critical vulnerabilities should be fixed within 60 days when feasible
Because ViccoBoard handles sensitive school data, priority is highest for:
- Authentication/lock bypass
- Data exfiltration or unintended data exposure
- Backup/restore integrity issues
- Storage encryption/key-handling weaknesses
- Dependency supply-chain vulnerabilities in runtime paths
- Local-first default operation
- Optional integrations must remain opt-in
- Architecture boundaries (
apps -> modules -> packages) - Required CI quality gate before merge
Related docs: