# Reporting vulnerabilities

The full disclosure policy lives in
[`SECURITY.md`](https://gitea.dcglab.co.uk/steve/restic-manager/src/branch/main/SECURITY.md)
at the repo root. The short version:

- **Don't open a public issue.**
- Send a Gitea private message to `steve` on
  <https://gitea.dcglab.co.uk>, or email the address on the
  maintainer's profile, with a subject like
  `[SECURITY] restic-manager: <one-line summary>`.
- Expect an acknowledgement within 3 working days; escalate
  through the other channel if you don't get one.
- Default disclosure window is **30 days from confirmed report
  to public disclosure**, faster if a PoC is already
  circulating, slower only by mutual agreement.

## What to include

A description of the issue and the impact, the affected
component (server / agent / install script / docs), the version,
and reproduction steps. A working PoC is welcome but not
required — a credible threat model is enough.

## In scope vs. out of scope

See the full policy. Quick highlights:

- **In scope:** server, agent, install scripts, docker image,
  docker-compose reference, crypto choices, docs that lead to
  insecure configs.
- **Out of scope:** restic itself (report upstream), unpatched
  third-party deps (report upstream first), pre-authenticated
  admin abuse (admins are designed to have full power), DoS on
  deployments without the recommended reverse proxy.