scroll is a local terminal markdown reader; its security
surface is small (file I/O, optional shell-out to xdg-open,
optional shell-out to termaid). Vulnerabilities are still
possible — markdown parsers, image decoders, and ANSI emission
are all corners worth scrutinising.
Once v0.1.0 is tagged, security fixes go into the most recent
minor release line. Older minors don't get backports unless
the underlying fix is trivial. Practically: stay on the latest
tag.
| Version | Security fixes |
|---|---|
| latest minor | yes |
| any older | no |
Don't open a public issue. Use GitHub's private vulnerability reporting:
- Go to the Security tab of this repository.
- Click "Report a vulnerability".
- Fill in what you found, how to reproduce it, and what impact you assess.
This routes the report into a private advisory only the maintainers can see. We can collaborate on a fix and a disclosure timeline before any public mention.
- Acknowledgement within 7 days of the report.
- An initial assessment (confirmed / disputed / needs more info) within 14 days.
- Fix, advisory publication, and patched release coordinated with you before disclosure.
scroll is a small project run on best-effort time. If you haven't heard back inside the windows above, a polite ping on the same advisory is welcome.
- Vulnerabilities that require an attacker to already control the user's filesystem or shell environment — scroll trusts its caller and the file paths handed to it.
- Issues in optional external tools we shell out to (
termaid,xdg-open). Those should be reported to their respective upstreams. - Issues that depend on a maliciously-crafted patched font
installed on the user's system. The fineblocks font is a
trust boundary already crossed by
fc-cache.
If you'd like to be named in the resulting advisory, say so in your report. Anonymous reports are fine too — we'll just write "reported by an external researcher".