airsonic-pulse/.github/SECURITY.md
litebito 5e1ed930ef
chore: rename in-repo references for Airsonic-Pulse org transfer (#163)
Updates GitHub URLs from litebito/airsonic-pulse to
Airsonic-Pulse/airsonic-pulse and GHCR namespace from
ghcr.io/litebito/airsonic-pulse to ghcr.io/airsonic-pulse/airsonic-pulse,
in preparation for the org transfer.

Liquibase changesets, historical release notes (v13.1.0-rc.1.md),
HISTORY.md, intentional upstream-attribution references to
kagemomiji/airsonic-advanced, and the FUNDING.yml / CoC contact email
are explicitly excluded.

fixes #162

Co-authored-by: litebito <litebito@users.noreply.github.com>
2026-05-14 16:43:38 +02:00

2.8 KiB

Security Policy

Supported versions

Airsonic-Pulse is a community continuation of Airsonic / Airsonic-Advanced, currently maintained by a single person on a best-effort basis (see CONTRIBUTING.md). Security fixes are provided only for the most recent release line.

Version Supported
13.x
< 13.0

If you are running an older release, please upgrade before reporting a security issue.

Reporting a vulnerability

Please do not open public issues, pull requests, or discussions for security vulnerabilities.

Use GitHub's private vulnerability reporting feature:

➡️ Report a vulnerability

This delivers the report privately to the maintainers; the contents are not visible to the public.

What to include

To help triage quickly, please include where possible:

  • Affected version(s) of Airsonic-Pulse
  • A clear description of the vulnerability and its impact
  • Steps to reproduce, or a proof-of-concept
  • Your environment (OS, Java version, database, deployment method)
  • Whether the vulnerability is already public, or has been shared with anyone else

What to expect

This is a best-effort, non-funded project maintained in spare time. Realistic expectations:

  • Acknowledgement of receipt: within 14 days
  • Initial assessment: within 30 days
  • Fix or mitigation timeline: depends on severity, complexity, and maintainer availability

You will be credited (with your consent) in the published security advisory once a fix is released.

Coordinated disclosure

We follow coordinated disclosure. Please do not publicly disclose the vulnerability until a fix has been released, or until 90 days have passed since your initial report — whichever comes first. If more time is needed, we are open to discussing an extension.

Out of scope

The following are generally out of scope for security advisories:

  • Vulnerabilities in third-party dependencies — please report those upstream; Airsonic-Pulse will pick up the fix once a patched version of the dependency is released.
  • Issues that require the attacker to already have administrator access on the Airsonic-Pulse instance.
  • Self-XSS or social-engineering attacks targeting administrators.
  • Missing security headers without a demonstrable exploit path.
  • Denial-of-service from clearly excessive request volume — Airsonic-Pulse does not ship a rate limiter by design; this is expected to be handled by a fronting reverse proxy.
  • Issues reproducible only on unsupported or end-of-life configurations.

Hall of fame

Researchers who responsibly disclose valid security issues will be acknowledged in the published advisory and (with their permission) listed here once advisories are released.