If you discover a security vulnerability in Blob Action, please report it through GitHub's private vulnerability reporting feature:

1. Go to the Security tab of this repository
2. Click "Report a vulnerability"
3. Provide a detailed description of the issue

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Include as much of the following information as possible to help us understand and resolve the issue:

• Type of issue (e.g., command injection, credential exposure, supply chain attack)
• Full paths of source file(s) related to the issue
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue and how an attacker might exploit it

We provide security updates for the following versions:

• Initial Response: We aim to acknowledge receipt of your vulnerability report within 3 business days.
• Status Update: We will provide a more detailed response within 10 business days, including our assessment and expected timeline for a fix.
• Resolution: We strive to resolve critical vulnerabilities within 30 days of the initial report.

We follow a coordinated disclosure process:

1. Security issues are handled privately until a fix is available.
2. Once a fix is ready, we will create a security advisory and release a patched version.
3. We will publicly disclose the vulnerability after users have had reasonable time to update.
4. Credit will be given to the reporter (unless anonymity is preferred) in the security advisory.

Blob Action implements the following security measures:

• CLI binaries are verified against signed checksums before installation
• Checksums are validated using Cosign to ensure authenticity
• Downloads use HTTPS exclusively

• The action follows GitHub's security hardening guidelines
• Inputs are validated before use to prevent injection attacks
• The action uses pinned versions of dependencies

When used with signing enabled, this action:

• Uses Sigstore keyless signing with GitHub's OIDC token
• Supports policy-based verification of signatures and attestations
• Integrates with actions/attest-build-provenance for SLSA provenance

For vulnerabilities in third-party dependencies used by Blob Action:

• If the vulnerability affects Blob Action, please report it through our security reporting process above
• We use Dependabot to monitor for dependency vulnerabilities
• For vulnerabilities in upstream projects, please report directly to those projects:
  • Blob CLI: Report to meigma/blob
  • npm packages: Use the project's security reporting mechanism

When using Blob Action:

• Use id-token: write permission only when Sigstore signing is needed
• Use packages: write permission only when pushing to registries
• Configure verification policies for production deployments
• Review policy files before use to ensure they match your security requirements
• Use digest references (@sha256:...) instead of tags for reproducible deployments

• Blob Documentation
• GitHub Actions Security Hardening
• Sigstore Documentation
• SLSA Framework