We take the security of Perch seriously. Because Perch handles sensitive data, session tokens, OAuth credentials, hub auth tokens, and container and host metrics, we’d much rather hear about a problem from you than from an attacker.
Reporting a vulnerability
If you discover a security vulnerability, please do not open a public issue. Report it privately through one of these channels:
- GitHub private vulnerability reporting, open the Security tab on the repository and click Report a vulnerability.
- Email, [email protected].
Please include as much detail as you can:
- the affected component (hub, agent, or web frontend);
- steps to reproduce;
- the potential impact (for example: auth bypass, credential exposure, RCE).
What to expect
- We’ll acknowledge your report within a few days.
- We’ll keep you updated as we investigate and work on a fix.
- Once a fix is released, we’ll credit you in the release notes, unless you’d prefer to stay anonymous.
Priority
Reports involving authentication, authorization, or credential handling are treated as high priority given the kind of data Perch is trusted with.
Scope
This policy covers the Perch software (hub, agent, and web frontend) and this website. If you’re running your own Perch instance, you’re also responsible for securing your deployment, the security docs cover the key controls to put in place.