- Please report vulnerabilities privately. Do not open a public issue.
- Preferred: create a private Azure DevOps work item (Security category) assigned to the maintainer (@ahuelsmann).
- If Azure DevOps access is not available, contact the maintainer via Azure DevOps profile message.
- Include reproduction steps, affected components, and any exploit details. Avoid sharing secrets in reports.
- Supported branches:
main(current development). Older branches are maintained on a best-effort basis. - Components: MOBAflow (Windows desktop), MOBAsmart (Android), MOBApi (REST API), Backend, TrackPlan, SharedUI, and the common/domain libraries shipped in the repo.
- We acknowledge reports within 3 business days.
- We reproduce, assess severity, and prepare a fix/mitigation.
- A patched build is produced and communicated before public disclosure.
- Credits are given when desired by the reporter.
- Keep secrets out of source control (tracked
MOBAflow/appsettings*.jsonfiles must stay secret-free; use User Secrets or environment variables for credentials). - Rotate keys after tests with real services (e.g., Azure Speech).
- Prefer relative paths for local assets and avoid embedding absolute user paths.
- Update vulnerable dependencies promptly and document security-impacting changes in PR descriptions.