31 lines
998 B
Markdown
31 lines
998 B
Markdown
# Security policy
|
|
|
|
Thanks for taking the time to look at this. This tool authenticates against
|
|
BMCs over SSH and HTTPS, runs commands as the chosen user, and writes their
|
|
output to disk — so vulnerability reports are very welcome.
|
|
|
|
## Supported versions
|
|
|
|
Only the latest tagged release is supported. Older versions will
|
|
not get fixes; please upgrade first.
|
|
|
|
## How to report a vulnerability
|
|
|
|
**Please do not open a public issue** for security-sensitive findings.
|
|
|
|
Report privately by email to the maintainer at engelgardt2024@gmail.com.
|
|
|
|
Please include:
|
|
- The version you tested (the startup banner is enough).
|
|
- Steps to reproduce.
|
|
- An assessment of impact.
|
|
|
|
Reports are reviewed and addressed on a best-effort basis. A fix and a public
|
|
advisory will be published once the issue is resolved. Reporters are credited
|
|
unless they prefer to stay anonymous.
|
|
|
|
## Out of scope
|
|
|
|
- Issues that require the attacker to already control the host or the BMC.
|
|
- Behaviour with explicitly broken credentials.
|