If you discover a security vulnerability in Scrooge, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email: fabricio@fabricio.dev
Include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: within 48 hours
- Initial assessment: within 1 week
- Fix or mitigation: best effort, typically within 2 weeks
This policy covers the Scrooge codebase and its default configuration. Third-party dependencies are managed via Dependabot and npm audit.
Only the latest release on the main branch is supported with security updates.