| Version | Supported |
|---|---|
| 1.0.x | ✅ Current release |
If you discover a security vulnerability in LocaleSync, please report it responsibly.
Do not open a public issue.
Instead, please email contact@polprog.pl with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge your report within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.
Security concerns relevant to LocaleSync include:
- Credential handling - leakage of translation provider API keys in logs, UI, or error pages
- Path traversal when resolving locale directories or output paths
- Output safety - XSS or HTML injection in the rendered web dashboard
- Placeholder tampering - unsafe interpolation that could alter translation semantics
- Sensitive data leakage - internal paths, tokens, or config values exposed in UI or logs
- Dependency vulnerabilities in third-party packages
We follow coordinated disclosure:
- Report the issue privately via the contact above.
- We confirm receipt and begin investigation.
- Once a fix is released, we publicly acknowledge the reporter (with their consent).