| Version | Supported |
|---|---|
| 0.3.x | ✅ |
| < 0.3 | ❌ |
Only the latest minor version receives security fixes. Please upgrade to 0.3.x (or later) before reporting vulnerabilities in older versions.
If you discover a security vulnerability in endpulse, please report it privately — do not open a public issue.
Preferred channel:
Alternative:
- Email the maintainer at
kim.hinton00@gmail.comwith the subject lineendpulse security:.
Please include:
- The endpulse version and Python version you tested.
- A minimal reproduction (CLI command or YAML config).
- The impact (what an attacker could do).
- Any suggested mitigation or patch, if you have one.
| Step | Target |
|---|---|
| Acknowledgement | Within 72 hours |
| Initial assessment | Within 7 days |
| Fix or planned timeline | Within 14 days for confirmed issues |
| Public advisory + credit | After a fix ships, with reporter credit (opt-in) |
In scope:
- endpulse Python package and its CLI.
- The
action.ymlGitHub Actions composite action. - Documentation or configuration templates that could mislead users into insecure setups.
Out of scope:
- Vulnerabilities in upstream dependencies (
httpx,click,rich,pyyaml) — report those to the respective projects. - Denial-of-service against a user's own endpoints (endpulse is a client tool; aggressive usage settings are user-controlled).
- Issues requiring privileged local access or modified source.
We will not pursue legal action against researchers who:
- Report in good faith through the private channels above.
- Avoid accessing, modifying, or exfiltrating data that isn't their own during testing.
- Give us a reasonable window to fix before public disclosure.