Skrepr takes all security bugs in ansible-role-backup seriously. Thank you for improving the security of ansible-role-backup. We appreciate your efforts and responsible disclosure.

If you believe you have found a security vulnerability in any skrepr-owned repository, please report it to us as described below.

• Please do not report security vulnerabilities through public GitHub issues.
• Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
• Do not reveal the problem to others until it has been resolved.
• Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
• Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Complex vulnerabilities may require further explanation.

Report security bugs by emailing the lead maintainer at jeroen@skrepr.com with a CC to info@skrepr.com.

The lead maintainer will acknowledge your email within 48 hours, and will send a more detailed response within 48 hours indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix, and may ask for additional information or guidance.

Report security bugs in third-party modules to the person or team maintaining the module.

Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:

• Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

We prefer all communications to be in Dutch. If Dutch is not your first language, please communicate in English.

When the security team receives a security bug report, they will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:

• Confirm the problem and determine the affected versions.
• Audit code to find any potential similar problems.
• Prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible.

If you have suggestions on how this process could be improved please submit a pull request.