The maintainers of the ades project take security issues seriously. We appreciate your efforts
to responsibly disclose your findings. Due to the non-funded and open-source nature of the project,
we take a best-efforts approach when it comes to engaging with security reports.
This document should be considered expired after 2026-06-01. If you are reading this after that date you should try to find an up-to-date version in the official source repository.
Only the latest release of the project is supported with security updates.
To report a security issue in the latest release or the development head, either:
- Report it through GitHub, or
- Send an email to ericornelissen+security@gmail.com with the terms "SECURITY" and "ades" in the subject line.
Please do not open a regular issue or Pull Request in the public repository.
To report a security issue in an older version - i.e. the latest release isn't affected - please report it publicly. For example, as a regular issue in the public repository. If in doubt, report the issue privately.
The standalone program considers the Go runtime and command line arguments as trusted. The containerized program additionally considers the container runtime used as trusted. The website considers the browser used as trusted. All other inputs, most notably files and text to analyze, are considered untrusted. Any violation of confidentiality or integrity is considered a security issue.
The project considers the GitHub infrastructure and all project maintainers to be trusted. Any action performed by any other GitHub user against the repository is considered untrusted.
Try to include as many of the following items as possible in a security report:
- An explanation of the problem
- A proof of concept exploit
- A suggested severity
- Relevant CWE identifiers
- The latest affected version
- The earliest affected version
- A suggested patch
- An automated regression test
Note: Advisories will be created only for vulnerabilities present in released versions of the project.
| ID | Date | Affected versions | Patched versions |
|---|---|---|---|
| - | - | - | - |
This table is ordered most to least recent.
We would like to publicly thank the following reporters:
- None yet