If you discover a security vulnerability in onceo-core, please report it privately.
Do not disclose it publicly via GitHub Issues.
Send details to security@onceo.dev. We will:
- Acknowledge receipt within 48 hours.
- Investigate and develop a fix.
- Release a patch and disclose publicly after the fix is available.
- Signature verification bypass
- Timing side-channels in HMAC comparison
- Secret key leakage via logs or error messages
- Panic/crash via malformed input
- Vulnerabilities in optional dependencies (Redis, Gin)
- Issues in applications using onceo-core