Security Policy
How to responsibly disclose security vulnerabilities in TLD.
Do not open public issues for security vulnerabilities
If you discover a security vulnerability, do NOT open a public GitHub issue. Use the private disclosure process below.Reporting a vulnerability
Email security@thelastdeploy.com with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested remediation
You will receive an acknowledgment within 48 hours. We aim to resolve critical vulnerabilities within 7 days.
Scope
| In scope | Out of scope |
|---|---|
| API authentication bypass | Attacks on user-controlled lab environments |
| Privilege escalation in the CLI | Social engineering |
| Data exposure in API responses | Denial of service against public infra |
