If you discover a security vulnerability in Constellation Hub, please report it responsibly:
- Do NOT open a public GitHub issue for security vulnerabilities
- Email: security@constellation-hub.dev (or use GitHub's private vulnerability reporting)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested remediation
| Action | Timeline |
|---|---|
| Acknowledge receipt | Within 48 hours |
| Initial assessment | Within 5 business days |
| Status update | Every 7 days until resolved |
| Fix available | Depends on severity (critical: ASAP) |
| Version | Supported |
|---|---|
| 1.x.x | ✅ Active |
| < 1.0 | ❌ Not supported |
- All dependencies are scanned for known vulnerabilities
- Container images are scanned before release
- Security advisories are published via GitHub Security Advisories
- Critical updates are released as soon as fixes are available
We follow coordinated disclosure:
- Work with reporter to understand and verify the issue
- Develop and test a fix
- Release the fix and publish an advisory
- Credit the reporter (unless they prefer anonymity)
Thank you for helping keep Constellation Hub secure!