This policy covers security vulnerabilities in the jitsudo CLI, its provider integrations, and supporting libraries maintained under the jitsudo-dev GitHub organization.
Do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities privately via GitHub's private vulnerability reporting feature. This keeps the disclosure confidential until a fix is available.
Include the following in your report:
- A description of the vulnerability and its potential impact
- Steps to reproduce, including relevant configuration or environment details
- Any provider(s) affected (AWS IAM, GCP IAM, Azure RBAC, Kubernetes RBAC)
- Whether you believe a fix or mitigation is straightforward
| Milestone | Target |
|---|---|
| Acknowledgement of report | 2 business days |
| Initial severity assessment | 5 business days |
| Fix or mitigation plan communicated | 14 days |
| Public disclosure (coordinated) | After fix is released |
We will keep you informed throughout and credit you in the security advisory unless you prefer otherwise.
We use CVSS v3.1 to assess severity. Issues that allow privilege escalation, credential exfiltration, policy bypass, or audit log tampering will be treated as high or critical priority.
Until a stable v1.0 release, only the latest commit on main is supported. We do not backport fixes to older tags during the pre-release period.
- Vulnerabilities in cloud provider infrastructure itself (report those to AWS, GCP, Azure, or the Kubernetes project directly)
- Issues that require an attacker to already have equivalent or higher privilege than the elevation being requested
- Theoretical attacks without a demonstrated or plausible exploit path