We take security issues seriously.
If you believe you have found a security vulnerability related to the official AhaKey ecosystem, please report it privately.
Please send details to:
Please include as much information as possible:
- affected repository or component
- affected version
- steps to reproduce
- possible impact
- logs, screenshots, or proof of concept if available
To protect users, please do not open a public Issue or Discussion for unpatched security vulnerabilities.
Please give us reasonable time to investigate and respond before making anything public.
This policy mainly applies to:
- official AhaKey repositories
- official baseline desktop software
- official protocol documentation and related tooling
- official services or supporting infrastructure, if any
This policy does not automatically apply to all community-maintained projects unless explicitly stated by their maintainers.
We will try to:
- confirm receipt of the report
- review the issue
- assess severity and impact
- determine next steps for mitigation or fixing
Response time may vary depending on the complexity of the issue.
We appreciate responsible disclosure made in good faith to help improve the security of the AhaKey ecosystem.
我们会认真对待安全问题。
如果你认为自己发现了与 AhaKey 官方生态相关的安全漏洞,请通过私下方式报告。
请发送到:
请尽量提供以下信息:
- 受影响的仓库或组件
- 受影响的版本
- 复现步骤
- 可能带来的影响
- 如果方便,附上日志、截图或 PoC
为了保护用户,对于尚未修复的安全漏洞,请不要先公开发 Issue 或 Discussion。
请先给我们合理时间完成确认、评估和处理,再决定是否公开相关信息。
这份安全策略主要适用于:
- AhaKey 官方仓库
- 官方基础桌面软件
- 官方协议文档及相关工具
- 官方服务或配套基础设施(如果有)
这份策略不自动适用于所有社区维护项目,除非对应维护者明确说明。
我们会尽量做到:
- 确认收到报告
- 复核问题
- 评估严重性和影响范围
- 确定缓解或修复方案
具体响应时间会根据问题复杂度有所不同。
我们感谢以善意、负责任方式提交的安全报告,这会帮助我们持续提升 AhaKey 生态的安全性。