m1ngsama/TNT
1
0
Fork 0
mirror of https://oauth2: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@github.com/m1ngsama/TNT.git synced 2026-06-26 05:34:39 +08:00
Code Issues Projects Releases Packages Wiki Activity Actions
TNT/SECURITY.md

1.7 KiB
Raw Blame History

Security Policy

Supported Versions

TNT currently supports security fixes for the latest published release and the current main branch.

Version Supported
latest release yes
main best effort
older releases no

This policy will become stricter after TNT has a longer stable release history.

Reporting a Vulnerability

Do not open a public issue for a security vulnerability.

Report privately through one of these paths:

  • GitHub private vulnerability reporting, when available on the repository
  • email: contact@m1ng.space

Include:

  • affected version or commit
  • operating system and deployment shape
  • reproduction steps or proof of concept
  • expected impact
  • whether the issue is already public

Response

The maintainer will try to acknowledge valid reports within 7 days. Fixes may land on main before a release is published. For serious issues, the release notes will mention the security impact after users have a reasonable upgrade path.

Scope

In scope:

  • remote crashes or memory-safety bugs
  • authentication or access-token bypass
  • unintended file writes outside TNT_STATE_DIR
  • privilege escalation in packaged service configuration
  • release artifact tampering or installer verification bypass

Out of scope:

  • denial of service from an operator intentionally disabling rate limits
  • identity spoofing in the documented anonymous-access mode
  • vulnerabilities requiring local administrator access to the host

Release Integrity

Release binaries are published with checksums.txt. The installer verifies the selected binary against that file before installation. Future releases should add a detached signature for checksums.txt before package recipes are submitted to public registries.