Security policy
Reporting a vulnerability
Email security@shithub.sh. PGP-encrypt the report
using the key fingerprint published at
https://shithub.sh/.well-known/pgp-key.asc if your finding
is sensitive.
The mailbox auto-acknowledges receipt within minutes. A human response (initial assessment + next steps) follows within 72 hours.
Please do not file public issues for security findings. Coordinated disclosure is the norm; we will credit you in the hall of fame on resolution unless you ask not to be named.
Scope
In scope:
- The hosted shithub instance (
shithub.sh). - The shithub source as published on GitHub
(
github.com/tenseleyFlow/shithub), exploited against any reasonably-deployed self-hosted instance running an unmodified release tag.
Out of scope:
- Findings against third-party services we depend on (DigitalOcean, Postmark, Let's Encrypt). Report those to the vendor.
- Misconfiguration of a self-hosted instance (e.g., operator
exposed
/metricswithout auth) — unless the misconfiguration is the default of a current release. - Rate-limit-bypass via heroic distributed-IP infrastructure —
outside the threat model
(
docs/internal/threat-model.md). - Issues that require physical access to the server.
- DoS via resource exhaustion that requires sustained heavy traffic from many unique IPs.
- Best-practice findings without an exploit path (e.g., "you're
not setting
X-Permitted-Cross-Domain-Policies") — file these as regular issues.
Bug bounty
shithub does not currently run a paid bounty program. We welcome findings regardless and will publicly credit you.
Severity
Coarse 4-level scale:
| Severity | Examples | Target fix |
|---|---|---|
| Critical | RCE; auth bypass; mass-account-takeover; private-data leak | < 24h |
| High | Per-user privilege escalation; SSRF into internal infra | < 7d |
| Medium | Stored XSS limited to an attacker's own scope; CSRF on a non-destructive route | < 30d |
| Low | Information disclosure of non-sensitive data | best-effort |
What you'll receive
- Acknowledgement within 72 hours (auto-ack faster).
- Triage decision — accepted, duplicate, out-of-scope, or needs-more-info — within 7 days for High+ and 30 days for Medium/Low.
- Fix timeline based on severity.
- Coordinated disclosure on patched release; we publish a brief writeup naming you (with consent) and the affected versions.
Hall of fame
Reporters who responsibly disclosed accepted findings:
(Empty for now — first credit goes to the first reporter.)
Our threat model
Published at
docs/internal/threat-model.md.
Useful context on what we defend against and what we don't.
View source
| 1 | # Security policy |
| 2 | |
| 3 | ## Reporting a vulnerability |
| 4 | |
| 5 | Email **`security@shithub.sh`**. PGP-encrypt the report |
| 6 | using the key fingerprint published at |
| 7 | `https://shithub.sh/.well-known/pgp-key.asc` if your finding |
| 8 | is sensitive. |
| 9 | |
| 10 | The mailbox auto-acknowledges receipt within minutes. A human |
| 11 | response (initial assessment + next steps) follows within |
| 12 | **72 hours**. |
| 13 | |
| 14 | Please **do not** file public issues for security findings. |
| 15 | Coordinated disclosure is the norm; we will credit you in the |
| 16 | hall of fame on resolution unless you ask not to be named. |
| 17 | |
| 18 | ## Scope |
| 19 | |
| 20 | In scope: |
| 21 | |
| 22 | - The hosted shithub instance (`shithub.sh`). |
| 23 | - The shithub source as published on GitHub |
| 24 | (`github.com/tenseleyFlow/shithub`), exploited against any |
| 25 | reasonably-deployed self-hosted instance running an unmodified |
| 26 | release tag. |
| 27 | |
| 28 | Out of scope: |
| 29 | |
| 30 | - Findings against third-party services we depend on |
| 31 | (DigitalOcean, Postmark, Let's Encrypt). Report those to the |
| 32 | vendor. |
| 33 | - Misconfiguration of a self-hosted instance (e.g., operator |
| 34 | exposed `/metrics` without auth) — unless the misconfiguration |
| 35 | is the *default* of a current release. |
| 36 | - Rate-limit-bypass via heroic distributed-IP infrastructure — |
| 37 | outside the threat model |
| 38 | (`docs/internal/threat-model.md`). |
| 39 | - Issues that require physical access to the server. |
| 40 | - DoS via resource exhaustion that requires sustained heavy |
| 41 | traffic from many unique IPs. |
| 42 | - Best-practice findings without an exploit path (e.g., "you're |
| 43 | not setting `X-Permitted-Cross-Domain-Policies`") — file these |
| 44 | as regular issues. |
| 45 | |
| 46 | ## Bug bounty |
| 47 | |
| 48 | shithub does not currently run a paid bounty program. We welcome |
| 49 | findings regardless and will publicly credit you. |
| 50 | |
| 51 | ## Severity |
| 52 | |
| 53 | Coarse 4-level scale: |
| 54 | |
| 55 | | Severity | Examples | Target fix | |
| 56 | |----------|----------------------------------------------------------------|-----------:| |
| 57 | | Critical | RCE; auth bypass; mass-account-takeover; private-data leak | < 24h | |
| 58 | | High | Per-user privilege escalation; SSRF into internal infra | < 7d | |
| 59 | | Medium | Stored XSS limited to an attacker's own scope; CSRF on a non-destructive route | < 30d | |
| 60 | | Low | Information disclosure of non-sensitive data | best-effort | |
| 61 | |
| 62 | ## What you'll receive |
| 63 | |
| 64 | - **Acknowledgement** within 72 hours (auto-ack faster). |
| 65 | - **Triage decision** — accepted, duplicate, out-of-scope, or |
| 66 | needs-more-info — within 7 days for High+ and 30 days for |
| 67 | Medium/Low. |
| 68 | - **Fix timeline** based on severity. |
| 69 | - **Coordinated disclosure** on patched release; we publish a |
| 70 | brief writeup naming you (with consent) and the affected |
| 71 | versions. |
| 72 | |
| 73 | ## Hall of fame |
| 74 | |
| 75 | Reporters who responsibly disclosed accepted findings: |
| 76 | |
| 77 | *(Empty for now — first credit goes to the first reporter.)* |
| 78 | |
| 79 | ## Our threat model |
| 80 | |
| 81 | Published at |
| 82 | [`docs/internal/threat-model.md`](./docs/internal/threat-model.md). |
| 83 | Useful context on what we defend against and what we don't. |