Security
Security policy, supported versions, and how to report a vulnerability.
Supported versions
sendit follows a rolling release model. Only the latest stable release receives security updates.
| Version | Supported |
|---|---|
| Latest stable | ✓ |
| All previous | ✗ |
Reporting a vulnerability
Do not open a public GitHub issue for security vulnerabilities.
Use GitHub’s private vulnerability reporting to submit a report confidentially. You will receive acknowledgement within 48 hours and a resolution target within 7 days.
Please include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept
- Any suggested fix or mitigation (optional)
Disclosure policy
We follow coordinated disclosure. Once a fix is available, we will publish a GitHub Security Advisory and release a patched version simultaneously. We aim to resolve confirmed reports within 30 days of a confirmed report.
Build provenance
All release artifacts from v0.12.2 onwards include SLSA provenance attestations generated by GitHub Actions. You can verify that a downloaded artifact was produced by this repository’s CI pipeline and has not been tampered with:
gh attestation verify <artifact> --owner lewtaRequires the GitHub CLI (v2.49.0+). On success the command prints the signing certificate details and exits 0; on failure it exits non-zero.
Example:
gh attestation verify sendit_0.12.2_linux_amd64.tar.gz --owner lewta
# Loaded digest sha256:... for file://sendit_0.12.2_linux_amd64.tar.gz
# ✓ Attestation verified — sendit_0.12.2_linux_amd64.tar.gz was attested by https://github.com/lewta/sendit/.github/workflows/release.ymlSecurity policy
The full security policy is maintained in SECURITY.md in the repository root.