If you discover a security vulnerability in mpak, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email security@mpak.dev with:
- A description of the vulnerability
- Steps to reproduce
- The affected component (registry, CLI, scanner, web, SDK, schemas)
- Any potential impact assessment
- Acknowledgment: Within 48 hours of your report
- Initial assessment: Within 5 business days
- Fix timeline: Depends on severity, but we aim for:
- Critical: 72 hours
- High: 1 week
- Medium: 2 weeks
- Low: Next release cycle
The following are in scope:
- The mpak registry server (
apps/registry) - The mpak CLI (
packages/cli) - The mpak SDK (
packages/sdk-typescript) - The mpak web UI (
apps/web) - The MTF security scanner (
apps/scanner) - The OIDC publishing flow
- Bundle integrity and trust score accuracy
The following are out of scope:
- Vulnerabilities in third-party dependencies (report these upstream)
- Denial of service attacks against the public registry
- Social engineering attacks
We follow coordinated disclosure. We will:
- Confirm the vulnerability and its scope
- Develop and test a fix
- Release the fix and publish a security advisory
- Credit the reporter (unless anonymity is requested)
We ask that you give us reasonable time to address the issue before any public disclosure.
| Version | Supported |
|---|---|
| 0.x.x | Yes (current development) |