Rumba takes security seriously. This document explains how to report vulnerabilities.
- Go to the specific repository
- Click the Security tab
- Select Report a vulnerability
- Fill out the form with details
GitHub's private vulnerability reporting keeps your report confidential until a fix is available.
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact
- Suggested fix (optional)
Report security issues in dependencies directly to their maintainers.
When you report a security issue:
- We acknowledge receipt within 48 hours
- We provide status updates as we investigate
- We credit reporters in security advisories (unless you prefer anonymity)
- We coordinate disclosure timing with you
For issues that cannot be reported through GitHub, or for coordinated disclosure discussions:
- Email: hello+security@rumba.id
This policy covers:
- The Rumba identity platform
- Official container images
- Documentation that could lead to security issues
Out of scope:
- Third-party integrations not maintained by us
- Issues in dependencies (report to upstream)
- Social engineering attacks
- Physical security
We ask that you:
- Give us reasonable time to address issues before public disclosure
- Avoid accessing or modifying user data
- Act in good faith to avoid privacy violations and service disruption
We will not pursue legal action against researchers who follow these guidelines.