This is our policy for reporting security vulnerabilities and overall guidelines on what you should do upon discovering one.

Please report security advistiry from "New draft security advisory" in the Security tab

In order to report a security vulnerability, you can use GitHub's built-in tool which easily allows you to calculate an attack vector/CVSS string or attribute to an existing CVE code. This allows us to accurately calculate the severity and/or importance of preventing it.

If you spot a secret in the code, please let us know by contacting us on Discord via private DM. This helps us quietly remove the vulnerability without letting others abuse it.

DarkSky relies heavily on the Bluesky (ATProtocol) API via open source project FishyFlip. If you believe that you have found a security vulnerability in the API and not DarkSky, please please please email Bluesky via [email protected], Bluesky's official vulnerability report email.

If you believe you have found a security vulnerability, please email us at [email protected] with a description of the issue.

What have we done to keep DarkSky safe?

We have implemented Dependabot alerts to automatically track security vulnerabilities that apply to the repository's dependencies.

We have enabled GitHub Code Scanning to automatically scan our code for potential GitHub client secrets and other API tokens.

We have enabled GitHub security advisories to let us know if a potential security problem might affect our repository or if something doesn't look right with any of our other security vulnerability countermeasures. This makes it easy to track potential errors or problems that might expose user credentials publicly or cause other similar problems.