Skip to content

Security: 514-labs/moose

SECURITY.md

Thanks for helping make Moose safe for everyone.

Security

Fiveonefour takes the security of our software products and services seriously, including all of the open source code repositories managed through our 514-labs organizations, such as Moose.

Even though open source repositories are outside of the scope of our bug bounty program and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation.

Reporting Security Issues

If you believe you have found a security vulnerability in any Fiveonefour-owned repository, please report it to us through coordinated disclosure.

Please do not report security vulnerabilities through public Fiveonefour issues, discussions, or pull requests.

Instead, please send an email to security[@]fiveonefour.com.

Please include as much of the information listed below as you can to help us better understand and resolve the issue:

  • The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
  • Full paths of source file(s) related to the manifestation of the issue
  • The location of the affected source code (tag/branch/commit or direct URL)
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit the issue
  • This information will help us triage your report more quickly.

Response Timeline

We aim to respond to security reports within 48 hours and will strive to keep you informed about our progress throughout the process. Please allow us up to 90 days before any public disclosure to ensure we have sufficient time to address the issue.

Secure Communication

For sensitive reports, you can encrypt your findings using our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGeGqlEBEADVvypVf5m3mq1uCpe6wLkAsDKNTAMzPV0fz++L8QIr8242WPLw
vLDTqnZvpxtKZmApTRRSqxNFc7T/wvdZZTz8rQCfd59ZMqHl0U3b7nVwT9hsjF5X
0jLmhNujnwd4rU3S7HpPbY7ghQ/2DhKE7xZr7gg3844UwmevwOr80CWaXB/MBhyx
yAt/wofW24qJymzI9LdafuLpd40WfvC2DRs39q/035zxIbTKzzDI3EMfcZaFgS0x
SKYy9FSect9xaPOlb+oEkq7Ke/5psNgUoGXDOR2rihDVs9arBVJ+lVklSOVNBfN2
mhHll3xPSPanxb/dloWUUKS6n5j2Xd9QKMXdRcXgO7cSMLAIMk7BhBrs0s9QvK5y
LQSlI6nIrPDdo5so6I9TcVMh/JpJGek9cMUTVRTIFvXngpJTm31f2D3hGTJoYMkB
Ht82oJCA6k8gUdVlbg+sTa3JOTRyTn1uQ5BtTNdIH6eNMSwNlvPW6Y60qJZJaocP
uyPw13DAm1vkSUBDCQrqUPuaK85lluRXwT+U0OfdIuLIJz6PMl0UKJREV2ETvPMC
+9/QS9lbvWO6x5OHcwJRYN+rekDR5HGAcAVgjEo0105amkx57oq/MCmJDFRaeyHS
QH1iaW7oukUTpWlkZGHkzN31C4ssJU6MCtEGcInwxauoEnpoNZKNGl55LwARAQAB
tCxGaXZlb25lZm91ciBMYWJzIEluYyA8aGVsbG9AZml2ZW9uZWZvdXIuY29tPokC
TgQTAQgAOBYhBAI6MAyzwzZ7l4B6clxNuds4ybjdBQJnhqpRAhsDBQsJCAcCBhUK
CQgLAgQWAgMBAh4BAheAAAoJEFxNuds4ybjddZ4QAMBQ1o1ZbbkEF0lPy7091Xta
V/7SipfPBPUAB26lXXaoFtOoQskYt50SYklUUlN3X79ImOGWJYNhcC+4C8/VIGuc
pIpTEjJ4rwKWBv61UVo5mHq2Ode+w5GEEziy0A1rUaucOTjW/RkH0Rkjf5vmPXxP
YprcNuuebzasCtsv9kIpQuQRT6cL3rDJryPz6tsAw6m5wuBjnN/c+tngpFQIm4YX
FhGm3LX3yxJx3FZnBWoHyjkIk37a9KGpC2vyKqSkbleRZBdVxbdmWmcG4aeE4mCw
n0Ke9pTRozE/19OaQP7L28k5VF099Vy9NeZYijIBKDwJLBjYJcnmS51j66QtWvB0
nL/L4J+Z8XnJMLkY5jG8SxbI6VN92QSopYFUFmNSn/8Xp1a5SUW1MHG6O8r5R7ca
48RXAEJ2y7wdKNXWI0CA1F+iLoRc5gj8WFq5CuDvuy/lCJd/VGVQ8i9vCnuhGbUG
oDQ6093b24k/L5UfC5KBNdAEXpRJ45AkXdlGtR9lNE77msv/IDcRXd5gJWdYwNsu
yESFKwcANPQSNqQwwVAp2Uv4xJU6OJK3wWvIpHFpoZvK5Yj4RjeyTFSVWQCo8ZQv
P/IDw93g0FeHjNFijX75sSv7te7Zy0PAEc/sBzi8kbprvUuEzu4eiNppyc5MNBqh
H2fnJHOZvajfCwb3SwFJ
=IVKU
-----END PGP PUBLIC KEY BLOCK-----

Security Update Policy

Security updates will be released through:

  • Security advisories on affected repositories
  • Direct notifications to affected users when possible
  • Package updates through standard distribution channels

We recommend users:

  • Enable automated security updates
  • Monitor our security advisories
  • Regularly update to the latest stable versions

Supported Versions

We provide security updates for:

  • The latest major version
  • Long-term support (LTS) versions as designated

Thank you for helping keep Moose and its users safe!

There aren’t any published security advisories