Security policy
Reporting a vulnerability
Section titled “Reporting a vulnerability”Do not open a public GitHub issue for security problems. Use GitHub’s private vulnerability reporting instead:
→ https://github.com/textrefs/textrefs.org/security/advisories/new
This opens a private advisory visible only to repository maintainers. If you cannot use the advisory form (no GitHub account, accessibility reasons), email community@textrefs.org instead and we will open the advisory on your behalf.
What to include
Section titled “What to include”A useful report includes:
- a description of the issue and its impact;
- steps to reproduce, or a proof-of-concept;
- the affected version, commit, or URL;
- any known mitigations or workarounds;
- whether you intend to disclose publicly and on what timeline.
If you used an AI coding assistant while investigating, keep the initial report private — agents can help reproduce, draft a fix, or check documentation, but the disclosure decision rests with maintainers.
Our commitments
Section titled “Our commitments”- We acknowledge new advisories within 5 working days.
- We aim to assess and triage within 10 working days of acknowledgement.
- We follow a 90-day disclosure timeline from the date you report. If a fix is not available by then, we will coordinate with you on a revised date.
- We credit reporters in the advisory and release notes, unless you ask to remain anonymous.
In scope:
- the textrefs.org website and its build pipeline;
- the data model, JSON-LD context, and any published API endpoints;
- the registry data (mappings, identifiers, exports) once published.
Out of scope:
- vulnerabilities in third-party platforms we link to (Perseus, Wikidata, etc.) — report those upstream;
- denial-of-service through obviously expensive but documented queries;
- social-engineering reports against maintainers.