Security updates are applied to the latest supported release of the project.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
Do not open public GitHub issues, discussions, or pull requests for security vulnerabilities.
Preferred: Use GitHub's built-in private vulnerability reporting by navigating to the Security tab of this repository and clicking "Report a vulnerability".
Alternative: If you prefer email, send your report to info@onebusaway.org.
Please include as much information as possible to help us understand and reproduce the issue:
- The type of vulnerability (e.g., SQL injection, cross-site scripting, authentication bypass)
- Full paths of affected source files
- The location of the issue (branch, commit, or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the vulnerability
- Proof-of-concept or exploit code (if available)
- The potential impact and how an attacker might exploit the issue
We aim to acknowledge vulnerability reports within 7 business days.
If the report is accepted, maintainers will work on a fix and coordinate disclosure with the reporter.
We kindly ask reporters to avoid publicly disclosing vulnerabilities until a fix has been released.