01
Where to send it
Email a private report to security@samchil.dev. Do not open a public GitHub issue for a suspected vulnerability — that exposes users before a patch exists.
Security Policy
We publish how we respond when something breaks.
Accountability is the second of our three principles — Security → Accountability → Detail. AI can generate code; it cannot take responsibility for it. This page is that responsibility in writing: how to report a vulnerability, exactly what happens next, and a public CVE ledger anyone can audit.
Reporting a vulnerability
Found a flaw in a Samchil module? Tell us privately first. We practice coordinated disclosure: we aim to ship a fix before the details become public.
02
What to include
Affected module and grade, version or commit, a minimal reproduction or proof-of-concept, and the impact you believe it has. The clearer the repro, the faster the fix.
03
In scope
Any Samchil-published module — FREE source, HARDENED, or AUDITED deliverables — and this site. Third-party dependencies are forwarded upstream with credit to you.
04
What you can expect
An acknowledgement from a person, an honest severity assessment, a fix on a published timeline, and public credit on disclosure unless you ask to stay anonymous.
Report channel — security@samchil.dev. Encrypt sensitive details on request.
Safe harbor — for research conducted in good faith and in line with the ground rules below, we will not pursue or support legal action against you. This assurance is ours alone: it cannot waive the rights of third parties or any obligation under applicable law.
- Don't access, modify, or destroy data that isn't yours.
- No denial-of-service or load testing that degrades the service.
- No social engineering of staff, customers, or vendors.
- Give us reasonable time to fix before sharing details publicly.
What happens after you report
A fixed, published process — not a promise to “look into it.” Every report moves through these four stages.
Within 48 hours
Acknowledged
A real person confirms receipt and opens a tracking record. No automated black hole.
Within 5 days
Triaged & scored
We reproduce the report, assign a severity (Critical / High / Medium / Low), and tell you our planned fix window.
Severity-based
Patched
Fix targets follow the table below. Affected paid customers receive the patch through lifetime updates, ahead of public disclosure wherever possible.
Day 90 (or on patch)
Disclosed
Coordinated disclosure: we publish an advisory and patch note no later than 90 days after the report, sooner if a fix ships first or the flaw is already exploited in the wild.
Severity & fix targets
Severity drives the clock. These are the targets we hold ourselves to — published so our response is measurable. They are a standard we work to, not a contractual guarantee.
| Severity | Typical case | Fix target |
|---|---|---|
| Critical | Remote exploit, auth bypass, key/secret exposure | ≤ 7 days |
| High | Privilege escalation, significant data exposure | ≤ 30 days |
| Medium | Limited-impact or hard-to-exploit weakness | ≤ 90 days |
| Low | Defense-in-depth, hardening, informational | Next release |
CVE response policy
When a vulnerability is exploitable and affects published modules, we request a CVE identifier, publish an advisory with a CVSS score, and ship a patch note describing the root cause and the fix. The depth of that obligation rises with the grade.
| Grade | Disclosure obligation |
|---|---|
| FREE | Best-effort security patches to the public repository. Advisories posted on the GitHub repo. |
| HARDENED | Security patches delivered through lifetime updates. Advisory + patch note published here. |
| AUDITED | Mandatory: public CVE response history and patch notes, every entry logged in the ledger below — disclosure is part of the deliverable, not a courtesy. |
Patch notes are append-only. We never silently rewrite history — a corrected entry is added, never overwritten. That is the whole point of a ledger you can trust.
CVE response history
The public ledger. Every advisory, with its CVE ID, affected module, severity, and patch, lands here permanently.
No vulnerabilities reported to date.As of 27 June 2026, no CVE has been filed against any Samchil module. An empty ledger is not a claim of perfection — it is a commitment that the first entry will appear here, in full, the day it is confirmed.
Email & privacy
If you subscribe to our newsletter, here is exactly what we collect, why, and how to remove yourself — no surprises.
- What we collect — your email address only. Nothing else is required to subscribe.
- Why — to send new blog posts and security module launch announcements you opted in to. We do not sell or share your address.
- Double opt-in — you only start receiving email after clicking the confirmation link we send. An unconfirmed address is never emailed again.
- Processor — delivery runs through Loops (loops.so), where your address and consent timestamp are stored on our behalf.
- Retention — kept until you unsubscribe, then removed from active sending.
- Your control — every email has a one-click unsubscribe, and you can email hello@samchil.dev to be removed at any time.
Contact
- Security reports
- security@samchil.dev
- AUDITED Q&A
- 30-day email window, included with every AUDITED purchase
- Operated by
- Soft37 · Seoul, Republic of Korea