Security Disclosure Process

Our Commitment to Security

At Specmatic.io, we are committed to building secure software and fostering a secure ecosystem. We deeply value the contributions of security researchers and community members who help us improve the safety and reliability of our tools.

If you have discovered a security vulnerability in Specmatic, its dependencies, or associated infrastructure, we ask that you report it to us responsibly and privately. This helps us investigate and fix the issue before details are made public, protecting users and downstream projects.

How to Report a Vulnerability

If you believe you have found a security vulnerability, please follow the steps below:

  1. Do not disclose the issue publicly until we have had a chance to investigate and issue a fix.

  2. Send a detailed report to us at:

    📧 security[at]specmatic.io

    Include:

    • A clear description of the issue
    • Steps to reproduce the vulnerability
    • Any proof-of-concept code or exploit (if applicable)
    • The version(s) of Specmatic affected
    • Your contact information (optional, if you’d like credit or follow-up)

What Happens Next

  1. Acknowledgment: We will acknowledge your report within 2 business days.
  2. Triage: The issue will be assessed and prioritized based on its severity and impact.
  3. Remediation: If valid, we will begin developing a fix, and may ask for clarification or additional details.
  4. Release: A patch will be released in accordance with our Vulnerability Remediation SLA.
  5. Credit (optional): We may acknowledge your responsible disclosure in our release notes or on a hall of fame page, if desired.

Guidelines for Responsible Disclosure

We ask that researchers:

  • Do not attempt to access or modify user data that does not belong to you.
  • Avoid actions that could cause service disruption (e.g., DDoS, brute force).
  • Act in good faith and give us a reasonable amount of time to resolve the issue.

We are committed to working with researchers in a respectful, timely, and fair manner, and we do not pursue legal action against those who follow this process in good faith.

Thank you for helping keep Specmatic and its users safe!