You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please report vulnerabilities privately. Do not open a public issue.
Preferred: create a private Azure DevOps work item (Security
category) assigned to the maintainer (@ahuelsmann).
If Azure DevOps access is not available, contact the maintainer via
Azure DevOps profile message.
Include reproduction steps, affected components, and any exploit
details. Avoid sharing secrets in reports.
Scope
Supported branches: main (current development). Older branches
are maintained on a best-effort basis.
Components: MOBAflow (Windows desktop), MOBAsmart (Android), MOBApi
(REST API), Backend, TrackPlan, SharedUI, and the common/domain
libraries shipped in the repo.
Handling Process
We acknowledge reports within 3 business days.
We reproduce, assess severity, and prepare a fix/mitigation.
A patched build is produced and communicated before public disclosure.
Credits are given when desired by the reporter.
Best Practices for Contributors
Keep secrets out of source control (tracked
MOBAflow/appsettings*.json files must stay secret-free; use User
Secrets or environment variables for credentials).
Rotate keys after tests with real services (e.g., Azure Speech).
Prefer relative paths for local assets and avoid embedding absolute user paths.
Update vulnerable dependencies promptly and document
security-impacting changes in PR descriptions.