| Version | Supported |
|---|---|
| 0.x (alpha) | Patches on best-effort basis |
| 1.x (when released) | Security patches in latest minor release |
Please do not open a public GitHub issue for security vulnerabilities.
Instead, email security@<project> with:
- A clear description of the vulnerability
- Steps to reproduce (or proof-of-concept)
- Potential impact (who is affected, what can be done)
- Your suggested remediation (if you have one)
- Whether you wish to be credited, and under what name
We will acknowledge receipt within 72 hours and aim to provide an initial assessment within 7 days.
-
In scope:
- Bugs in OpenHuizeBox code that could allow VM escape
- Flaws that let the target software detect the sandbox (reducing research effectiveness) — treat as security-relevant bugs
- Secrets or API keys accidentally committed
- Supply-chain issues in our dependencies
-
Out of scope:
- Vulnerabilities in Oracle VirtualBox itself — report to Oracle
- Theoretical attacks that require admin access to the host
- Social engineering
- Bugs in the target software being analyzed (that's why you're analyzing it)
We follow a coordinated disclosure timeline:
- Day 0: report received
- Day 1–3: acknowledged
- Day 4–30: triaged, fix developed
- Day 31–60: fix released, CVE requested if applicable
- Day 61+: public disclosure
We will delay public disclosure if a downstream user (enterprise, regulator, etc.) needs more time to roll out the patch, but not indefinitely.
(No advisories yet — this project is new.)