| Version | Supported |
|---|---|
| 1.1.x | yes |
Until Secrets Spotter reaches 2.0, only the latest minor version receives security fixes.
Please do not open a public GitHub issue for security vulnerabilities.
Use GitHub's private security advisory mechanism:
- Go to https://github.com/yipjunkai/secrets-spotter/security/advisories
- Click "Report a vulnerability"
- Fill in the form with as much detail as you can share
Acknowledgement is targeted within 72 hours. There is no separate email contact at this stage; the GitHub advisory channel is the only supported route.
- Pattern bypasses that let real secrets evade detection in ways an attacker could exploit (e.g. encoding tricks, unicode normalization edge cases that escape the regex set)
- Memory safety issues in the Rust core or WASM bindings — panics, infinite loops, or unbounded allocations triggered by crafted input
- Browser extension issues that could expose scanned content to other origins, leak secrets between tabs, or be used by a hostile page to deanonymize the user
- Supply chain concerns (dependency vulnerabilities not yet flagged by Dependabot or
cargo audit)
- Missing patterns for services not yet supported (open a regular feature request)
- False positives on production-like inputs (open a regular bug report)
- Performance issues (open a regular issue)
- Feature requests