| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a security vulnerability in the Shai-Hulud 2.0 Detector tool itself, please report it responsibly.
- Do NOT open a public issue for security vulnerabilities
- Email the maintainers with details of the vulnerability
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Depends on severity
- Critical: 24-48 hours
- High: 7 days
- Medium: 30 days
- Low: Next release
- Vulnerabilities in the detector code
- Issues that could lead to false negatives (missing detections)
- Information disclosure vulnerabilities
- Denial of service in the scanning process
- The Shai-Hulud 2.0 attack itself (report to npm/GitHub)
- Packages listed in our database (that's the point!)
- Social engineering attacks
- Physical security
We consider security research conducted in good faith to be:
- Authorized in accordance with this policy
- Protected from legal action by us
- Helpful to the community
We will not pursue civil or criminal action against researchers who:
- Act in good faith
- Avoid privacy violations
- Do not destroy data
- Report findings to us
When using this tool, we recommend:
- Regular Updates: Keep the action version updated
- Fail on Critical: Enable
fail-on-critical: true - Schedule Scans: Run daily scans via cron
- Monitor Outputs: Alert on any detections
- Multi-layer Defense: Use alongside other security tools
We thank security researchers who have helped improve this tool:
- Your name could be here!
Thank you for helping keep the open-source community safe.