vane 0.9.2

A flow-based reverse proxy with multi-layer routing and programmable pipelines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

# Security Policy

This document describes how to report security vulnerabilities and how they are handled.

This project is open source and maintained by volunteers.
Security handling follows a best-effort model.

---

## Supported Versions

Only the latest released version is actively supported, unless stated otherwise.

Older versions may not receive security fixes.

---

## Reporting a Vulnerability

If you believe you have found a security vulnerability, **do not disclose it publicly**.

Please report it privately using one of the following methods:

- Email: mailto:t@canmi.icu
- GitHub Security Advisory (preferred if available)

Do **not** open public issues, pull requests, or discussions to report security problems.

---

## Required Information

To help us evaluate the report, please include at least:

- A clear description of the vulnerability
- At least one **affected version** that can be reproduced
- If possible, a **version range**
- Reproduction steps or proof-of-concept

Incomplete reports may be deprioritized.

---

## Response Expectations

- This project is maintained without guaranteed compensation.
- There is **no obligation** to provide immediate responses or guaranteed fixes.
- Most vulnerabilities are addressed because we want the project to be better, not because of contractual duty.

We typically review security reports within **24 hours**, but this is **not guaranteed**.

If you receive no response after **72 hours**, you may try another reporting channel or send a reminder.

---

## Fixes and Disclosure

- Confirmed vulnerabilities may only be disclosed **after a fixed version is released**.
- Coordinated disclosure is required.
- Maintainers decide if and when disclosure is appropriate.

---

## Good-Faith Testing

Good-faith security research is allowed under the following conditions:

- No intentional harm
- No data destruction or data exfiltration
- No service disruption
- No abuse of infrastructure

If our open-source software is deployed on internal or public servers and a vulnerability exists, limited testing is acceptable.
Actions commonly understood as malicious or unethical are **not** permitted.

---

## Recognition

If you successfully identify and help fix a security issue, you may be credited or invited to become a maintainer.

This is discretionary.

---

## Authority

Maintainers have final authority over:

- Vulnerability validation
- Severity assessment
- Fix prioritization
- Disclosure timing