JA4proxy's full coordinated vulnerability disclosure policy is at:
- Reporting: open a GitHub Security Advisory (private). See CVD_POLICY §2 for details.
- Scope: Go proxy core, CLI, management API, official container image. The Python prototype is out of scope.
- Response: best-effort; no service-level commitments. See CVD_POLICY §3-4.
- Safe harbour: disclose.io Simple Safe Harbor template applies. See CVD_POLICY §7.
Commit d67f4d6 (2026-03-06) inadvertently included a POC Redis password in
a now-deleted analysis doc. The password was rotated; current production
environments do not use that value. The historical commit remains visible
in git history; remove via BFG Repo Cleaner
if compliance requires.