- Supported Versions
- Reporting a Vulnerability
- Rules of Engagement (Testing Guidelines)
- What to Include
- Response & Disclosure
- Severity & Target Timelines
- In Scope (examples for this project)
- Out of Scope (for this project)
- CVE & Public Advisory
- Researcher Credit
- Safe Harbor
This is an active project under development. Please report security issues against the main branch. Older tags may not be maintained.
Please do not open a public issue for vulnerabilities.
Use GitHub's private flow:
- Go to the repository’s Security → Report a vulnerability in this repo, or open: https://github.com/conorgregson/reading-log-app/security/advisories/new
Include the steps to reproduce, impact, and any suggested fixes. If private reporting is temporarily unavailable, you may open a minimal public issue stating “Security report sent privately” (no technical details), and the maintainer will follow up.
- Test only with your own data and accounts.
- Don't disrupt service (no DDoS, excessive automated scanning).
- No social engineering, phishing, or attacks on non-project infrastructure.
- Share PoCs privately via the advisory thread. Please avoid submitting sensitive personal data in PoCs.
- Affected files/paths and steps to reproduce
- Expected vs. actual behavior
- Environment details (browser/version)
- Any PoC you can safely share privately
- We’ll acknowledge your report within 7 days.
- We aim to provide a remediation plan or fix within 30 days, depending on severity.
- After a fix is released, we’ll coordinate a safe disclosure window if needed.
- Note: We don't offer bounties at this time.
| Severity | Triage Ack | Target Fix/Plan |
|---|---|---|
| Critical | ≤ 3 days | ≤ 14 days |
| High | ≤ 7 days | ≤ 30 days |
| Medium | ≤ 14 days | ≤ 60 days |
| Low | ≤ 21 days | Next reasonable release |
- Stored or reflected XSS via book fields or JSON import paths.
- Logic flaws that read/write unexpected
localStoragekeys. - DOM clobbering / prototype pollution leading to code execution.
- Clickjacking/UI issues requiring cross-origin framing.
- Issues requiring privileged local device access or browser extensions.
- Social engineering or non-project infrastructure.
- Self-XSS (issues requiring a victim to paste code in the console).
- Rate-limit or brute-force findings without demonstrated impact.
We coordinate fixes and disclosure via GitHub Security Advisories. When applicable, a CVE ID may be requested through GitHub. A public advisory may be published after a fix is available.
With your consent, we'll credit valid reporters in release notes/advisories. Anonymous credit is fine - just let us know.
We will not pursue claims against researchers who:
- Act in good faith and follow this policy,
- Avoid privacy violations and service degradation, and
- Give us a reasonable chance to remediate before public disclosure.