OSSMark is not a security scanner, but security reports about OSSMark itself are welcome.
Please do not open a public issue for a suspected vulnerability. Contact the maintainer privately after the GitHub repository is created, then include:
- A concise description.
- Reproduction steps.
- Impact assessment.
- Suggested fix if known.
In scope:
- Bugs that expose local file contents unexpectedly.
- Report generation issues that leak secrets from audited repositories.
- CLI behavior that executes untrusted project commands.
Out of scope:
- Missing deep dependency vulnerability checks.
- Findings from third-party scanners against example fixtures.