Skip to content

Security: DockForge/SBOMinify

Security

SECURITY.md

Thank You for Contributing to DockForge's Security

Security Commitment

At DockForge, we prioritize the security of our software products, including all open source code repositories managed on platforms like GitHub. We are deeply committed to ensuring the integrity and safety of our offerings.

While we diligently manage and maintain our own code, we cannot be held responsible for vulnerabilities in upstream software packages or libraries. If you discover such issues, please report them to the appropriate maintainers. Should no upstream resolution be available, and if the vulnerability materially affects our products, we will strive to implement necessary mitigations or workarounds.

Reporting Security Vulnerabilities

If you identify a security vulnerability in any DockForge-owned repository, we encourage you to report it through our coordinated disclosure process.

Please avoid reporting security vulnerabilities via public GitHub issues, discussions, pull requests, or conversations on our Discord or Discourse platforms.

Instead, report vulnerabilities by emailing us at dublokcom[@]gmail.com with the subject line including [security]. Emails not following this subject line format may not be processed.

To help us effectively understand and resolve the issue, please include as much of the following information as possible:

  • The type of issue (e.g., buffer overflow, container escape, privilege escalation)
  • Full paths of source file(s) related to the issue
  • The location of the affected source code (tag/branch/commit or direct URL)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if available)
  • Impact of the issue, including potential exploitation scenarios
  • Any additional relevant information

Providing comprehensive details will expedite our triage and resolution process.

Security Research Policy

We value and encourage the research and coordinated disclosure of security vulnerabilities. To support this, we commit not to pursue civil or criminal action or notify law enforcement for accidental or good faith violations of this policy. Security research and vulnerability disclosure activities conducted in line with this policy are considered “authorized” under the Computer Fraud and Abuse Act, the DMCA, and other applicable laws such as the Computer Misuse Act. We waive any potential DMCA claim against you for bypassing the technological measures we have used to protect the applications covered by this security reporting policy.

Please note that if your security research involves third-party networks, systems, information, applications, products, or services, we cannot bind that third party, and they may pursue legal action. We cannot and do not authorize security research on behalf of other entities and cannot defend, indemnify, or protect you from third-party actions.

You must comply with all applicable laws and avoid disrupting or compromising data beyond what is permitted by this security reporting policy.

We encourage you to contact us before engaging in actions that may be inconsistent with or unaddressed by this policy. We reserve the sole right to determine whether a violation of this policy is accidental or in good faith. Proactive communication with us before taking action is a significant factor in our decision-making process. When in doubt, ask us first!

There aren’t any published security advisories