Skip to content

Security: Aashrithhh/PSTFORGE

Security

SECURITY.md

Security Policy

Reporting a vulnerability

Please report vulnerabilities privately via GitHub Security Advisories ("Report a vulnerability" on the repository's Security tab). Do not open public issues for security reports.

You can expect an acknowledgement within 7 days. Please include reproduction steps and, when relevant, a minimal PST or attachment sample that triggers the issue (synthetic data only — never real mail content).

Supported versions

Version Supported
latest 0.x release
older releases

PSTforge is alpha software; only the most recent release receives fixes.

Disclosure policy

We follow coordinated disclosure: we will work with you on a fix and agree on a publication date, normally within 90 days of the report.

Threat model notes

PSTforge treats every PST and every attachment as hostile input: attachments are routed by magic bytes (not extension), archives are extracted member-by-member under expansion/count/ratio limits, Office macros are never executed, and extraction happens under a private temp root. Log output never contains message bodies, subjects, email addresses, or API keys. Findings that break any of these properties are in scope and appreciated.

There aren't any published security advisories