The Deta team takes the security of Surf seriously. If you discover a security vulnerability, please report it responsibly.
Please use GitHub's private vulnerability reporting feature:
- Navigate to the Security tab of this repository
- Click Report a vulnerability
- Fill out the vulnerability report form with as much detail as possible
Alternatively, if you cannot use GitHub's reporting feature, please email us at: security@deta.surf
When reporting a vulnerability, please include:
- Description: A clear description of the vulnerability
- Impact: Potential impact and severity assessment
- Reproduction Steps: Detailed steps to reproduce the issue
- Proof of Concept: Code snippets, screenshots, or videos demonstrating the vulnerability
- Suggested Fix: If you have ideas on how to resolve the issue (optional)
- Environment Details: Affected versions, operating systems, configurations, etc.
- Acknowledgment: We will acknowledge receipt of your report as soon as possible
- Validation: We will validate and reproduce the reported vulnerability
- Fix Development: Our team will develop and test a fix
- Disclosure: We will coordinate disclosure timing
- Release: We will release a security patch and publish an advisory
- Credit: We will credit you in our release notes unless you request anonymity
The following are outside the scope of our security policy:
- Issues in dependencies (please report these to the respective maintainers)
- Social engineering attacks
- Physical security issues
- Issues affecting outdated or unsupported versions
We currently do not offer a bug bounty program, but we deeply appreciate security reports which help keep Surf secure.
We follow a coordinated disclosure approach:
- Please allow us reasonable time to address the vulnerability
- We request that you do not publicly disclose the vulnerability until we have released a fix
- Security Email: security@deta.surf
- Security Team: @security (GitHub team mention)
Thank you for helping keep our project and the users safe!