If you find a vulnerability in Bluewright, do not include exploit details in a public issue. Use GitHub private vulnerability reporting if it is available for the repository, or open a minimal issue asking the maintainer to coordinate a private report channel.
Include:
- affected command or module
- impact summary
- reproduction steps, if safe to share privately
- suggested fix or mitigation, if known
Bluewright workflows run on GitHub-hosted runners for public pull request events. Avoid running untrusted fork pull requests on persistent self-hosted runners because workflow code can execute on the runner machine.
Bluewright reads GITHUB_TOKEN or GH_TOKEN only when cloning private GitHub
repositories or reviewing pull requests. Do not commit tokens, generated
artifacts, local cache directories, or downloaded repositories.