FinCore Engine handles financial transactions and compliance data. Security is treated as a correctness requirement, not an afterthought. This document describes how to report vulnerabilities and what to expect in response.
| Version | Supported |
|---|---|
main branch (pre-release) |
Yes - active development |
0.x releases |
Yes - patch releases for HIGH and CRITICAL findings |
< 0.1.0 |
No - pre-release snapshots, no backport commitment |
Once 1.0.0 is released, this table will be updated to reflect the N and N-1 minor version support window.
Do not open a public GitHub issue for security vulnerabilities. Public disclosure before a fix is available puts all users at risk.
Use GitHub Private Security Advisories to report confidentially. This is the fastest path to triage.
Send a detailed report to hello@itiana.dev with the subject line [SECURITY] FinCore Engine - <brief description>.
Note: This email address is active. Set up a PGP-encrypted channel if you need to share sensitive payloads - request the maintainer's public key via email first.
- Description - what the vulnerability is and which component is affected.
- Impact - what an attacker can do by exploiting it (confidentiality, integrity, availability).
- Steps to reproduce - minimal, deterministic reproduction steps.
- Environment - version/commit SHA, OS, Java version, relevant configuration.
- Suggested fix - if you have one (optional but appreciated).
| Stage | Target |
|---|---|
| Acknowledgement | Within 48 hours of receipt |
| Initial triage (severity classification) | Within 5 business days |
| Fix or mitigation plan for CRITICAL/HIGH | Within 30 days |
| Fix or mitigation plan for MEDIUM/LOW | Within 90 days |
| Public disclosure | After fix is released, coordinated with reporter |
These are targets, not guarantees. Complex vulnerabilities may take longer. The maintainer will communicate status if a deadline cannot be met.
FinCore Engine follows a 90-day coordinated disclosure policy:
- Reporter submits via the private channel above.
- Maintainer acknowledges, triages, and begins working on a fix.
- A CVE is requested if the finding meets the threshold.
- A fix is released in a patch version.
- A public security advisory is published on GitHub.
- If 90 days pass without a fix, the reporter may disclose at their discretion after notifying the maintainer.
Credit is given in the advisory unless the reporter prefers to remain anonymous.
The following are not considered in-scope vulnerabilities for this project:
- Denial-of-service attacks requiring physical access or insider credentials.
- Social engineering of maintainers or users.
- Vulnerabilities in dependencies - report those upstream to the respective project; we will update the dependency promptly when a fix is available.
- Findings in
docs/private/(gitignored, not part of the public repository). - Issues in forks or unofficial distributions.
FinCore Engine is a pre-revenue OSS project. There is no formal bug bounty program. Researchers who make a significant contribution to improving security may be recognized via GitHub Sponsors at the maintainer's discretion. Ask if you want to discuss this before reporting.
| Purpose | Contact |
|---|---|
| Vulnerability reports | hello@itiana.dev or GitHub Security Advisories |
| Security policy questions | GitHub Discussions - Security category |
| Maintainer | @tiana-code |