We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 1.0.x | β |
| < 1.0 | β |
We take the security of our software seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- β Open a public GitHub issue
- β Discuss the vulnerability in public forums
- β Exploit the vulnerability
- β Email us at: security@example.com
- β Provide detailed information about the vulnerability
- β Include steps to reproduce if possible
- β Allow us reasonable time to address the issue
Please include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Affected versions
- Suggested fix (if you have one)
- Your contact information for follow-up
Subject: [SECURITY] Potential Command Injection in install-kiro.sh
Description:
There appears to be a command injection vulnerability in the install-kiro.sh
script at line 123 where user input is not properly sanitized.
Steps to Reproduce:
1. Run: ./install-kiro.sh --custom-path "$(malicious_command)"
2. The malicious command gets executed
Impact:
An attacker could execute arbitrary commands with the privileges of the
user running the script.
Affected Versions:
- Version 1.0.0
- Version 0.9.0
Suggested Fix:
Properly sanitize user input using parameter expansion and validation.
Contact:
researcher@example.com
When using our installers:
- Verify the source: Always download from official repositories
- Check signatures: Verify script integrity when possible
- Review scripts: Inspect scripts before running with elevated privileges
- Use --user flag: Install without sudo when possible
- Keep updated: Use the latest version
- Input validation: Always validate and sanitize user input
- Avoid eval: Never use
evalwith user-provided data - Quote variables: Always quote variables to prevent injection
- Least privilege: Request minimal permissions necessary
- Secure downloads: Use HTTPS for all downloads
- Verify checksums: Validate downloaded files when possible
Our installers include several security features:
- β No automatic sudo: Scripts ask for permission before using sudo
- β User-only mode: Option to install without elevated privileges
- β Input validation: All user inputs are validated
- β Secure downloads: HTTPS-only downloads
- β Temporary files: Proper cleanup of temporary files
- β Configuration backup: Automatic backup before updates
Before each release, we verify:
- All user inputs are validated
- No use of
evalwith user data - All variables are properly quoted
- Downloads use HTTPS
- Temporary files are cleaned up
- No hardcoded credentials
- Proper permission checks
- Error messages don't leak sensitive info
- ShellCheck passes with no warnings
- Security review completed
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-7 days
- High: 7-30 days
- Medium: 30-90 days
- Low: Next release cycle
We appreciate security researchers who help keep our project safe. With your permission, we'll acknowledge your contribution in:
- Security advisories
- Release notes
- Hall of Fame (coming soon)
- Security Email: security@example.com
- PGP Key: [Link to PGP key]
- Response Time: 48 hours
Thank you for helping keep our project and our users safe! π