We actively support and patch security vulnerabilities in the following versions:

We take security vulnerabilities seriously. If you discover a security issue in Dits, please help us by reporting it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing: security@dits.io

Include the following information in your report:

• A clear description of the vulnerability
• Steps to reproduce the issue
• Potential impact and severity
• Any suggested fixes or mitigations (optional)

• Acknowledgment: We'll acknowledge receipt of your report within 24 hours
• Investigation: We'll investigate the issue and provide regular updates (at least weekly)
• Fix Timeline: We'll work on a fix based on the severity:
  • Critical: 24-48 hours
  • High: 1 week
  • Medium: 2 weeks
  • Low: Next regular release
• Disclosure: We'll coordinate disclosure timing with you
• Credit: We'll credit you in the security advisory (unless you prefer anonymity)

This security policy applies to:

• The Dits CLI application
• The Dits web interface
• The Dits server/API
• Official Dits SDKs and libraries
• DitsHub (the hosted service)

We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who follow these guidelines.

Security updates will be released as patch versions with the following naming convention:

• 0.1.2-security for security patches
• Regular changelog entries for security fixes
• CVEs assigned where appropriate

We offer bounties for qualifying security vulnerabilities:

• Critical: $1,000 - $5,000
• High: $500 - $1,000
• Medium: $100 - $500
• Low: Recognition

Details at: https://ditshub.com/security/bounty

For security-related questions:

• Email: security@dits.io
• PGP Key: Available at https://ditshub.com/security/pgp

See our security advisories page for previously disclosed vulnerabilities.