Thank you for helping to keep quartzctl secure and trustworthy. We take security seriously and encourage responsible disclosure of any vulnerabilities you may discover.
| Version | Supported |
|---|---|
main |
✅ |
| older | ❌ |
We only support the latest version of the main branch. Older versions are not guaranteed to receive security updates.
If you believe you’ve found a security vulnerability in quartzctl, please do not open a GitHub issue or pull request. Instead, report it privately by emailing:
Please include:
- A detailed description of the vulnerability.
- Steps to reproduce.
- A proof-of-concept (if applicable).
- Any known mitigations or workarounds.
Due to limited resources maintaining this project, response times cannot be guaranteed.
We follow the principle of responsible disclosure and will work with you to coordinate a fix and a disclosure timeline. We request you do not publicly disclose details of the vulnerability until we have confirmed and published a patch.
We credit all researchers who responsibly disclose issues (unless you request otherwise).
All contributors are expected to:
- Follow secure coding practices (e.g., input validation, error handling).
- Avoid introducing hardcoded secrets or credentials.
- Ensure dependencies are up-to-date and do not introduce known vulnerabilities.
- Use signed commits (
git commit -s) and follow the CONTRIBUTING.md guidelines. - Run and pass all static analysis, lint, and vulnerability scanning tools included in the CI pipeline.
quartzctl uses the following tools to help detect known CVEs and maintain secure dependencies:
- govulncheck
- gosec
- GitHub Dependabot (enabled for this repository)
We are working toward full OpenSSF Scorecard compliance.
Future releases may be cryptographically signed. Details will be published here when that process is in place.
For non-security issues, please use the issue tracker. For security-related matters, use the private disclosure process outlined above.