| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take security seriously. If you discover a security vulnerability, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report them via email to: security@gitant.io
Please include the following in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Fix Development: Within 7 days for critical, 30 days for others
- Public Disclosure: After fix is released
We offer bug bounties for critical vulnerabilities:
| Severity | Bounty |
|---|---|
| Critical (RCE, Auth Bypass) | $500-$2000 |
| High (Data Leak, CSRF) | $200-$500 |
| Medium (XSS, Info Disclosure) | $50-$200 |
| Low (Minor Issues) | $25-$50 |
The following are in scope:
- gitant-daemon
- gitant-cli
- gitant-mcp
- gitant-web
- Smart contracts (Solidity)
- Social engineering
- Physical attacks
- Denial of service
- Third-party dependencies (report to them directly)
- UCAN capability tokens
- HTTP Signatures (RFC 9421)
- OAuth2 integration
- API key authentication
- LDAP integration
- TOTP 2FA
- Role-based access control (RBAC)
- Scoped UCAN capabilities
- Repository-level permissions
- Branch protection rules
- Encrypted secrets at rest
- SHA-256 hashed API keys
- Bcrypt password hashing
- TLS encryption in transit
- CORS validation
- CSRF protection
- Rate limiting
- Input validation
- SSRF protection
- WebSocket origin validation
- Request logging
- Activity tracking
- Webhook notifications
- Anomaly detection
- Email: security@gitant.io
- PGP Key: [Available on request]
We thank the following security researchers:
- (Be the first to report a vulnerability!)