Skip to content

Security: syntax-tree/hast

Security

security.md

Security policy

Note: this policy is new and untested. We’ll update and polish it as we’re receiving security issues.

Brand promise

Keeping users safe and secure is a top priority for us at syntax-tree. We welcome the contribution of external security researchers.

Scope

If you believe you’ve found a security issue in any software, service, or website governed by syntax-tree, we encourage you to notify us.

Projects governed by syntax-tree sometimes do unsafe things by design (such as a plugin that executes arbitrary code or an option that is dangerous). This unsafe behavior should be explicitly documented and, if it is, is not considered a security issue.

There are no hard and fast rules to determine if a bug is worth reporting as a security issue or a “regular” issue. When in doubt, please do send us a report.

How to submit a report

Security issues can be reported by sending an email to security@unifiedjs.com, which will go to all unified collective core team members. The team will acknowledge your email within 48 hours. You will receive a more detailed response within 96 hours.

We will create a maintainer security advisory on GitHub to discuss internally, and when needed, invite you to the advisory.

Safe harbor

syntax-tree supports safe harbor for security researchers who:

  • make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • only interact with accounts you own or with explicit permission of the account holder; if you do encounter Personally Identifiable Information (PII) contact us immediately, do not proceed with access, and immediately purge any local information
  • provide us with a reasonable amount of time to resolve vulnerabilities prior to any disclosure to the public or a third-party
  • we will consider activities conducted consistent with this policy to constitute “authorized” conduct and will not pursue civil action or initiate a complaint to law enforcement; we will help to the extent we can if legal action is initiated by a third party against you

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

Preferences

  • please provide detailed reports with reproducible steps and a clearly defined impact
  • submit one vulnerability per report
  • social engineering (such as phishing, vishing, smishing) is prohibited

There aren’t any published security advisories