The Upmizer team takes security issues seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
To report a security vulnerability, please use the GitHub Security Advisory "Report a Vulnerability" tab.
Please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any possible mitigations you've identified
After you have submitted your report:
- We will acknowledge receipt of your vulnerability report within 3 business days
- We will assign a primary handler to investigate the issue
- We will keep you informed of our progress throughout the process
- We will notify you when the issue is fixed
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0.0 | ❌ |
Only the latest major version will receive security updates.
Upmizer requires GitHub token access to:
- Create and modify branches
- Push changes to your repository
We recommend using the default GITHUB_TOKEN provided by GitHub Actions which has limited scope and automatically expires.
When testing Upmizer locally with act:
- Use a test token with minimal permissions
- Do not use your personal access token with unnecessary scopes
- Avoid exposing secrets in test repositories
When using Upmizer in your projects:
- Always pin to a specific version (e.g.,
NoTaskStudios/[email protected]) rather than a branch - Regularly update to the latest version to receive security fixes
- Review changes in the action before updating in production workflows
- Keep your GitHub Actions workflow permissions to the minimum required
- We follow a coordinated disclosure process
- Security issues will be announced via GitHub Security Advisories
- After fixes are available, advisories will be published with full details
- CVEs will be requested for significant vulnerabilities