Report security issues privately by email:
security contact: support@mullusi.com
operator contact: tamirat@mullusi.com
Use GitHub issues only for non-sensitive tracking after secrets, exploit steps, and private provider details have been removed.
Security reports include:
- Secret exposure, credential leakage, or unsafe token handling.
- Authorization or authentication bypass.
- Unsafe deployment, DNS, package, or release authority.
- Governance bypass in repository rules, release workflows, or runtime gates.
- Mfidel atomicity violations in Ethiopian script handling.
- Data exposure through logs, errors, artifacts, or public repositories.
| Step | Requirement |
|---|---|
| Triage | Confirm affected repository, surface, and authority boundary |
| Containment | Revoke or rotate exposed credentials before public discussion |
| Repair | Patch source, workflow, host setting, or DNS/package authority |
| Verification | Run the relevant verifier before closure |
| Record | Link the issue, commit, release, or ops note that proves closure |
powershell -ExecutionPolicy Bypass -File .\scripts\verify-authority-gates.ps1
powershell -ExecutionPolicy Bypass -File .\scripts\verify-domains.ps1Repository-specific verifiers may add stricter gates. The stricter gate wins.
Do not put the following in public artifacts:
- Live tokens, private keys, cookies, or session values.
- Provider account IDs that are not already public.
- Exploit instructions before the affected surface is contained.
- Private roadmap or operational notebook details.
A security issue is resolved only when:
- The vulnerable state is no longer reachable.
- The relevant verifier passes or records an explicit external blocker.
- Follow-up authority work is tracked in an issue or ops note.