When Fluxgate's batch scanning identifies vulnerable workflows in public repositories, we follow this responsible disclosure process:
- Day 0: Finding identified during batch scan
- Day 1-3: Finding verified manually (not a false positive)
- Day 3-7: Maintainer contacted via:
- Repository SECURITY.md contact (preferred)
- Security advisory on the repository (if enabled)
- Direct email to listed maintainers (fallback)
- Day 7: Confirmation of receipt requested
- Day 37: If no response, second notification attempt
- Day 67: Public disclosure of aggregate statistics (vulnerable repos are NOT named if unpatched)
- Aggregate statistics (X of Y repos affected)
- Rule descriptions and detection logic
- Example vulnerable patterns (synthetic, not from real repos)
- Remediation guidance
- Names of affected repositories (until patched or 90-day window expires)
- Specific workflow file contents from unpatched repos
- Details that would enable exploitation
- If a vulnerability is already being actively exploited in the wild (as with the Trivy compromise), we may accelerate the timeline
- If a maintainer requests extended time, we will accommodate up to 180 days for complex remediations
If you believe Fluxgate has identified a vulnerability in your repository and you'd like to coordinate, contact: christopherdlusk@gmail.com or open a GitHub Security Advisory.