Skip to content

Security: thenoname-gurl/EcliPanel

Security

Report a vulnerability

SECURITY.md

EclipseSystems Security Policy

Version 1.1 - 2026
A project of Misiu LLC
Authorized steward: Maksym Huzun (noname@eclipsesystems.org)

Security is a core priority for EclipseSystems. We welcome responsible disclosure of vulnerabilities and appreciate the efforts of security researchers who help keep the ecosystem safe.

1. Reporting a Vulnerability

If you discover a security vulnerability, please report it privately and responsibly.

Do NOT open a public GitHub issue.
Do NOT disclose the vulnerability publicly.

Instead, send a detailed report to:

security@eclipsesystems.org (24h SLA) or
noname@eclipsesystems.org or Github Security Advisory

Your report should include:

  • A clear description of the issue
  • Steps to reproduce
  • Potential impact
  • Proof-of-concept (if applicable)
  • Suggested remediation (optional but appreciated)

2. What We Expect From Researchers

To ensure safe and responsible testing:

  • Do not exploit vulnerabilities beyond what is necessary to demonstrate them.
  • Do not access, modify, or delete data you do not own.
  • Do not perform denial-of-service attacks or load testing.
  • Do not attempt to bypass licensing, attribution, or commercial restrictions.
  • Do not test against production systems unless explicitly authorized.
  • You MAY test against the non-production environment at https://canary.ecli.app/ and https://backend.canary.ecli.app/ when using a wearehackerone.com email address, and you may use only your own servers and accounts for testing purposes.

3. What You Can Expect From Us

Upon receiving a report, EclipseSystems will:

  • Acknowledge receipt within 24 hours.
  • Investigate the issue promptly.
  • Provide updates as the investigation progresses.
  • Work toward a fix or mitigation.
  • Credit researchers who request acknowledgment (unless anonymity is preferred).
  • Money reward in some cases.

4. Scope

This policy applies to:

  • All EclipseSystems repositories
  • All official deployments operated by EclipseSystems under Misiu LLC

5. Out-of-Scope Activities

The following are not considered valid vulnerabilities:

  • License or attribution removal attempts
  • Social engineering of maintainers or stewards
  • Issues requiring physical access
  • Vulnerabilities in third-party dependencies not maintained by EclipseSystems

6. Legal Safe Harbor

EclipseSystems will not pursue legal action against researchers who:

  • Follow this policy in good faith
  • Avoid harmful or destructive testing
  • Report vulnerabilities privately and responsibly

7. Amendments

This policy may be updated by EclipseSystems under Misiu LLC or by authorized stewards designated by Maksym Huzun.

There aren’t any published security advisories