Report a Vulnerability
Report suspected vulnerabilities privately. Do not open public issues for credential exposure, policy bypass, unsafe execution, exploitable operational failures, or other security defects.
Reporting Channels
Section titled “Reporting Channels”| Channel | Use for |
|---|---|
| GitHub private advisory | Open-source Caracal vulnerabilities: https://github.com/Garudex-Labs/caracal/security/advisories/new |
Sensitive reports, attachments, patches, exploit demonstrations, or enterprise-related reports: support@garudexlabs.com |
Enterprise-related vulnerabilities must be reported by email, not GitHub advisories.
Email Format
Section titled “Email Format”Subject: [SECURITY][caracal] Short description
1. Summary2. Steps to reproduce3. Impact4. Affected area5. Suggested fix6. AttachmentsKeep reports clear, reproducible, and private. Do not include secrets in public channels or public pull requests.
Response and Disclosure
Section titled “Response and Disclosure”The maintainers aim to review and respond within up to 7 days. Resolution timing depends on complexity and validation needs. Public disclosure should wait until a fix or mitigation is available or maintainers decide not to address the issue.

