8.9 KiB
Security Vulnerability Reporting
This file explains how to report security vulnerabilities to the Claude How To project.
Quick Links
- Private Reporting: https://github.com/luongnv89/claude-howto/security/advisories
- Security Policy: SECURITY.md
- Report Template: See below
Report a Vulnerability
Option 1: GitHub Private Vulnerability Report (RECOMMENDED)
This is the preferred method for reporting security vulnerabilities.
Steps:
- Go to: https://github.com/luongnv89/claude-howto/security/advisories
- Click "Report a vulnerability"
- Fill in the details (use template below)
- Submit
Advantages:
- Keeps vulnerability private until fix is released
- Automatic notifications to maintainers
- Built-in collaboration features
- Integrated with GitHub security tools
Option 2: GitHub Security Alert (For Dependencies)
If you discover a vulnerability in a dependency:
- Go to: https://github.com/luongnv89/claude-howto/security/dependabot/alerts
- Review the alert
- Create a pull request with the fix
- Tag with
securitylabel
Option 3: Private Email (If GitHub unavailable)
If you cannot use GitHub's reporting system:
Coming soon: Security contact email will be added here
For now, use GitHub's private vulnerability reporting as described above.
Vulnerability Report Template
Use this template when reporting a vulnerability:
**Title**: [Brief description of vulnerability]
**Severity**: [Critical/High/Medium/Low]
Estimated CVSS Score: [0-10]
**Type**: [Code/Documentation/Dependency/Configuration]
**Affected Component**:
- File: [path/to/file.py]
- Section: [Section name if documentation]
- Version: [latest/specific version]
**Description**:
[Clear explanation of what the vulnerability is]
**Potential Impact**:
[What could an attacker do with this vulnerability?]
[Who could be affected?]
**Steps to Reproduce**:
1. [First step]
2. [Second step]
3. [Third step]
[Expected result vs actual result]
**Proof of Concept** (if available):
[Code or steps to demonstrate the vulnerability]
**Suggested Fix**:
[Your recommended solution, if you have one]
**Additional Context**:
[Any other relevant information]
**Your Information**:
- Name: [Your name or anonymous]
- Email: [Your email]
- Credit: [How you'd like to be credited, if at all]
What Happens After You Report
Timeline
-
Immediate (< 1 hour)
- Automatic notification sent to project maintainers
-
Within 24 hours
- Initial assessment of the report
- Confirmation that we received it
- Preliminary severity assessment
-
Within 48 hours
- Detailed response from security team
- Questions for clarification (if needed)
- Timeline for fix (if vulnerability confirmed)
-
Within 1-7 days (depends on severity)
- Fix developed and tested
- Security advisory prepared
- Fix released and public advisory published
Communication
We will keep you informed through:
- GitHub private vulnerability discussion
- Email (if provided)
- Updates in the discussion thread
You can:
- Ask clarifying questions
- Provide additional information
- Suggest improvements to the fix
- Request timeline adjustments
Disclosure Timeline
Critical Issues (CVSS 9.0-10.0)
- Fix: Released immediately (within 24 hours)
- Disclosure: Public advisory issued same day
- Notice: 24 hours advance notice to reporter
High Issues (CVSS 7.0-8.9)
- Fix: Released within 48-72 hours
- Disclosure: Public advisory on release
- Notice: 5 days advance notice to reporter
Medium Issues (CVSS 4.0-6.9)
- Fix: Included in next regular update
- Disclosure: Public advisory on release
- Notice: Coordinated timing
Low Issues (CVSS 0.1-3.9)
- Fix: Included in next regular update
- Disclosure: Advisory on release
- Notice: Same day as release
Security Vulnerability Criteria
In Scope
We accept reports on:
-
Code Vulnerabilities
- Injection attacks (command, SQL, etc.)
- Cross-site scripting (XSS) in examples
- Authentication/authorization flaws
- Path traversal vulnerabilities
- Cryptography issues
-
Documentation Security
- Exposed secrets or credentials
- Insecure code patterns
- Security anti-patterns
- Misleading security claims
-
Dependency Vulnerabilities
- Known CVEs in dependencies
- Supply chain attacks
- Malicious dependencies
-
Configuration Issues
- Insecure defaults
- Missing security headers
- Credential exposure in examples
Out of Scope
We do NOT accept reports on:
- Vulnerabilities in Claude Code itself (contact Anthropic)
- Vulnerabilities in external services
- Theoretical vulnerabilities without proof
- Issues already reported to upstream projects
- Social engineering or phishing
- User education/training issues
Responsible Disclosure Guidelines
Do's ✅
- Report privately before public disclosure
- Be specific with file paths and line numbers
- Provide proof of the vulnerability
- Give us time to fix (coordinated disclosure)
- Update if you discover more details
- Be professional in all communications
- Respect confidentiality until we publish
Don'ts ❌
- Don't publicly disclose before we fix
- Don't exploit the vulnerability beyond testing
- Don't modify other users' data
- Don't demand payment or favors
- Don't share the vulnerability with others
- Don't use it in any harmful way
- Don't spam with non-security related issues
Coordinated Disclosure
We practice responsible disclosure:
- Private Report: You report to us privately
- Our Assessment: We evaluate and assess severity
- Fix Development: We develop and test a fix
- Advance Notice: We give you advance notice before public disclosure
- Public Release: We release fix and advisory together
- Your Credit: We acknowledge your contribution (if desired)
Timeline varies based on severity (see section above)
After the Fix is Released
Public Advisory
A public security advisory will include:
- Description of the vulnerability
- Affected versions
- Severity (CVSS score)
- Steps to remediate
- Link to the fix
- Credit to reporter (with permission)
Your Recognition
If you wish to be credited:
- Your name/handle in the advisory
- Link to your profile/website
- Mention in release notes
- Addition to hall of fame (if created)
No Compensation
Please note:
- This is a volunteer-run open-source project
- We cannot offer financial rewards
- We do offer recognition and credit
- Your contribution helps the community
Security Research
If you're conducting security research:
- Get Permission: Contact maintainers first
- Define Scope: Agree on what you'll test
- Report Findings: Use this process
- Respect Timeline: Allow time for fixes
- Publish Responsibly: Coordinate with us
Questions?
For questions about this process:
- Check SECURITY.md for detailed policy
- Look at FAQ section below
- Open a discussion with
[SECURITY]label - Use private vulnerability reporting for sensitive questions
FAQ
Q: Will my report be kept confidential? A: Yes, until the fix is released. We only share details with those working on the fix.
Q: How long do I need to wait before public disclosure? A: We follow responsible disclosure timelines based on severity (24 hours to 7 days). You can agree to extend this if needed.
Q: Will I get credit? A: Yes, in the security advisory and release notes (unless you prefer anonymity).
Q: What if the vulnerability is minor? A: All legitimate security issues are taken seriously. Even minor fixes will be acknowledged.
Q: Can I report vulnerabilities in documentation only? A: Yes! Documentation security is important too. Examples with insecure patterns are in scope.
Q: What if I'm not sure if something is a security issue? A: Report it anyway! If it's not a security issue, we'll let you know. False positives are fine.
Q: Can I publicly discuss the vulnerability after reporting? A: No, please keep it private until we publish the advisory. Premature disclosure could put users at risk.
Q: How do I know you received my report? A: GitHub will send an automatic notification, and we'll follow up within 24 hours.
Q: What if I don't hear back? A: Check GitHub security advisories page. If you still don't see a response, you can follow up with a comment on the private report.
Resources
- SECURITY.md - Full security policy
- CONTRIBUTING.md - Contributing guidelines
- CODE_OF_CONDUCT.md - Community standards
- OWASP Guide - Responsible disclosure best practices
- Coordinated Vulnerability Disclosure
Thank you for helping keep this project secure! 🔒