Skip to content

Security: Nicconike/Wakatime-Leaderboards

.github/SECURITY.md

Security Policy

Reporting a Vulnerability

Thank you for improving the security of the project. I take security vulnerabilities seriously and appreciate your efforts to responsibly disclose any issues you find.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them to me by following the steps below:

  1. Email: Send an email to [email protected] with the subject "Security Vulnerability Report: Wakatime-Leaderboards".
  2. Discord: If you do not prefer the email method, then please reach out to me via Discord @nicconike, @Nicco#1741 or the Discord Server
  3. Open PGP Key: If possible, encrypt your message with my GPG key. You can download the GPG key from here.
  4. Information to Include:
    • Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
    • Full paths of source file(s) related to the manifestation of the issue
    • The location of the affected source code (tag/branch/commit or direct URL)
    • Any special configuration required to reproduce the issue
    • Step-by-step instructions to reproduce the issue
    • Proof-of-concept or exploit code (if possible)
    • Impact of the issue, including how an attacker might exploit the issue

How to Use GPG (Open PGP) Key

  1. Download and install GPG software:

  2. Download the public key from the Key Server:

    1. Open the OpenPGP server website in your browser
    2. Search the key using this fingerprint - 333675FF949C2CDDB86DBD64C82BDEDDEFDE338B
    3. Now click on the public key which will download the pub key file 333675ff949c2cddb86dbd64c82bdeddefde338b.asc
      rsa4096/333675ff949c2cddb86dbd64c82bdeddefde338b
    4. Please rename the file to something more simpler like public_key.asc
  3. Import the public key:

    • After downloading the public key file (public_key.asc), import it into your GPG keyring using the following command:
       gpg --import public_key.asc
  4. Verify the imported key:

    • List the keys in your keyring to verify that the public key has been imported correctly:
       gpg --list-keys
  5. Encrypt your message:

    • Create a text file containing your vulnerability report (e.g., vulnerability_report.txt).
    • Encrypt the file using the public key:
       gpg --encrypt --armor --recipient [email protected] vulnerability_report.txt
    • This will create an encrypted file (e.g., vulnerability_report.txt.asc).
  6. Send the encrypted message:

    • Share the encrypted file (vulnerability_report.txt.asc) to me via Discord [@nicconike] or the Discord Server

You should receive a response within 24 hours. If for some reason you do not, please follow up via discord to ensure I received your original message.

Preferred Languages

I would prefer all the communications to be in English.

Policy

This Project follows the principle of Coordinated Vulnerability Disclosure.

Please see the docs of how to Privately reporting a security vulnerability

Supported Versions

Version Supported
> 1.1.0
< 1.0.0

Thank you for helping to keep the project secure!

There aren’t any published security advisories