The Lupaxa Actions Toolbox follows a Security by Design philosophy across all open-source and internal projects. We take vulnerabilities seriously and deeply value responsible disclosure from the community.
We believe that transparency, collaboration, and defensive design are essential for maintaining trust in open source.
If you discover a potential security issue:
- Do not open a public GitHub issue or pull request.
- Email us directly: security@thelupaxaproject.org
- This address is hosted on Proton Mail, providing end-to-end encryption by default.
- You do not need to use GPG or provide a public key.
- If you also use Proton Mail, messages are encrypted automatically.
- In your report, please include:
- A clear description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested mitigations
We will acknowledge receipt within 48 hours and provide regular updates until the issue is resolved.
This policy covers:
- All public repositories under The Lupaxa Actions Toolbox organization
- Related Docker images, GitHub Actions, and published packages (PyPI, RubyGems, Crates.io, npm, and others)
If you are unsure whether a project is in scope, please ask — we will confirm.
- We will triage and verify all valid reports within five business days.
- A fix or mitigation plan will be communicated before public disclosure.
- Credit will be given to reporters who follow responsible disclosure practices.
- We will work collaboratively to ensure any identified risks are resolved quickly and transparently.
We ask that you:
- Avoid exploiting or publicly sharing vulnerabilities before a fix is available.
- Do not access or modify data that is not your own.
- Provide enough technical detail to help us reproduce the issue safely.
Following these principles helps us maintain a secure environment for everyone who uses our projects.
The Lupaxa Actions Toolbox
Part of The Lupaxa Project — Open Source, Secure by Design, Guided by Integrity.