Do not report security issues in public issues, discussions, or pull requests.
Report vulnerabilities through GitHub's private vulnerability reporting flow for debugbundle/debugbundle-js:
Include a clear description, impact assessment, affected version or commit, reproduction steps, and any mitigations you have already validated.
DebugBundle is pre-production. Security fixes are applied against the current main branch and the latest unreleased code in this repository.
- Initial triage within 3 business days.
- A follow-up status update after reproduction and impact assessment.
- Coordinated disclosure after a fix or mitigation is available.
Security concerns include:
- Secret, token, or credential leakage in SDK transport and relay handling.
- Redaction failures for secrets, PII, or regulated data.
- Browser relay trust-boundary failures or origin-validation bypasses.
- Request correlation or trigger-token handling that crosses request boundaries incorrectly.
Please avoid public issues until maintainers confirm a fix or mitigation window. Once a report is confirmed, maintainers will coordinate remediation, validation, and disclosure timing with the reporter when practical.