The repository has only one release branch, and we (myself and other contributors) will do our best to keep it safe.
Security holes in software are almost inevitable, but I'm committed to working with the open source community to fix (potential) security risks, and we'll be submitting the latest security updates to Magic-Link (i.e., this repository), so all you need to do is pull those new updates.
First of all, please keep it confidential, because the fewer people who know about the vulnerability, the less impact it will have on the users of the project.
If you're not sure if you've actually found a security vulnerability, that's fine, please submit it to us, whether it's useful or not, we'll review it carefully and appreciate your enthusiasm!
Second, please send as much detail as possible about the vulnerability and related details to lilac@muna.uk.
Finally, I will review what you send in the shortest possible time, and if a security vulnerability does exist, I will work with the contributors to the security team to fix the issue, as well as disclose the details of the vulnerability and thank you when a security patch is released.
Of course, each of us can make our own contribution to the project!
The easiest way to do this is: you can find Issues labeled "Code Security Hazards Disclosure" in the "Issues" section of the project, which will contain issues that are Potential, non-serious security issues that are public but haven't been fixed yet. While these security issues don't affect the security of the program, it's still relevant!
Yes.
I will follow the principle of transparency and public disclosure of security vulnerabilities that have been fixed, which I believe makes sense.
If for some reason the vulnerability in question is not fixed within 60 days, I will still disclose the vulnerability on the 61st day, even if it is not resolved, because I believe that it is pointless and dangerous to hide these security vulnerabilities so that they may be resolved by contributors in the open source community.