Skip to content

Security: form3tech-oss/go-ci-fuzz

Security

.github/SECURITY.md

Security Policy

Thank you for helping keep Form3 systems and services secure. We value responsible disclosure and the work of the security community.

Reporting a Vulnerability

If you believe you have discovered a potential security vulnerability, please report it to:

responsible.disclosure@form3.tech

To help us triage effectively, please include:

  • A clear description of the issue and affected system(s)
  • Reproduction steps and a non-disruptive proof of concept
  • Supporting evidence (e.g. screenshots, logs, code snippets)
  • An assessment of potential impact

Reports without sufficient detail or clear security impact may not be actioned.

Scope

This policy applies to Form3 systems and services. Third-party services or dependencies are out of scope.

Guidelines

We ask that you:

  • Act in good faith and avoid actions that could harm our systems or users
  • Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the issue
  • Do not disrupt services (e.g. denial of service or high-volume scanning)
  • Do not engage in social engineering, phishing, or physical attacks

The following are generally considered out of scope or low priority:

  • Low-impact issues without demonstrable security impact
  • Missing best practice configurations (e.g. security headers)
  • TLS configuration preferences (e.g. cipher suites, legacy protocol support)

Coordinated Disclosure

We ask that you do not publicly disclose vulnerabilities, including referencing Form3 in connection with a vulnerability, until we have had a reasonable opportunity to investigate and remediate the issue.

Please coordinate with us prior to any public disclosure so we can agree on appropriate timing and messaging. Once disclosure is agreed, any public communication should be accurate, reflect the actual impact, and be shared responsibly.

We will not unreasonably delay public disclosure once a fix or mitigation is available.

Our Commitment

  • We will acknowledge receipt of your report
  • We will investigate and provide updates as appropriate
  • Where applicable, we will remediate validated issues
  • We may acknowledge your contribution, with your consent

Legal

This policy does not grant permission to act in any way that violates applicable laws or regulations.

Rewards

We do not operate a bug bounty programme and do not offer financial compensation for vulnerability reports.

Thank you for helping us improve our security.

There aren’t any published security advisories