This document covers repo-specific security boundaries. See the BTCDecoded Security Policy for organization-wide policy.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
This repository contains build orchestration and release automation for the entire Bitcoin Commons ecosystem. Security vulnerabilities could affect all repositories and releases.
If you discover a security vulnerability in commons, please report it immediately:
- DO NOT create a public GitHub issue
- DO NOT discuss the vulnerability publicly
- DO NOT post on social media or forums
Email: security@thebitcoincommons.org
Subject: [SECURITY] commons vulnerability
Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Fix Development: 1-2 weeks (depending on severity)
- Public Disclosure: Coordinated with fix release
- Build script injection vulnerabilities
- Version coordination tampering
- Release artifact corruption
- Workflow security bypasses
- Supply chain attacks
- Script execution vulnerabilities
- Configuration file parsing issues
- Authentication/authorization bypasses
- Information disclosure
- Performance issues
- Documentation errors
- Non-critical script errors
- All scripts must validate inputs
- No command injection vulnerabilities
- Proper file path sanitization
- Secure temporary file handling
- Version files must be validated
- No tampering with version mappings
- Secure version file distribution
- Integrity checks on version data
- GitHub Actions workflows must be secure
- No secrets in workflow files
- Proper authentication for API calls
- Secure artifact handling
Before reporting, please verify:
- The issue reproduces consistently
- The issue affects build or release processes
- The issue is not already known
- The issue is not a feature request
Security updates will be:
- Released as patch versions (0.1.x)
- Clearly marked as security fixes
- Backported to all supported versions
- Announced on our security mailing list
- Security Team: security@thebitcoincommons.org
- General Inquiries: info@btcdecoded.org
- Website: https://btcdecoded.org
We thank the security researchers who help keep the Bitcoin Commons ecosystem secure through responsible disclosure.
Remember: This repository orchestrates builds and releases for the entire Bitcoin Commons ecosystem. Any vulnerabilities could affect all repositories. Please report responsibly.