We take the security of Miru seriously. If you discover a security vulnerability, please report it through GitHub's Private Vulnerability Reporting.
To report a vulnerability:
- Navigate to the Security tab of this repository
- Click Report a vulnerability
- Fill out the form with as much detail as possible
Please do not open a public issue for security vulnerabilities.
To help us triage and resolve the issue quickly, please include:
- A description of the vulnerability and its potential impact
- Step-by-step reproduction instructions
- Affected versions
- Any relevant logs, screenshots, or proof-of-concept code
- Acknowledgement within 48 hours of your report
- Status updates as we investigate and work toward a fix
- Credit in the advisory for responsible disclosure (if desired)
We aim to confirm, patch, and disclose vulnerabilities as quickly as possible. The timeline depends on severity and complexity, but we will keep you informed throughout the process.
In scope:
- Security issues in this repository's code
- Vulnerabilities in direct dependencies
Out of scope:
- Social engineering attacks
- Denial of service attacks
- Issues in third-party services or infrastructure not maintained by Miru
- Findings from automated scanners without demonstrated impact
Only the latest release is supported with security updates.
We consider security research conducted in good faith under this policy to be authorized. We will not pursue legal action against researchers who:
- Act in good faith and follow this policy
- Avoid privacy violations, data destruction, and service disruption
- Report vulnerabilities promptly and do not disclose publicly before a fix is available