If you discover a security vulnerability in edaphos, please do NOT open a public GitHub issue. Instead, send a private email to:
rodrigues.machado.hugo@gmail.com
Include in your report:
- A description of the vulnerability (what is at risk?).
- Reproduction steps (a minimal example or pointer to the affected function).
- The version of
edaphosyou tested against (packageVersion("edaphos")). - Your assessment of severity (e.g. CVSS-style: low / medium / high / critical).
- Optional: a suggested fix.
| Step | Target turnaround |
|---|---|
| Acknowledge receipt | Within 3 business days |
| Initial assessment | Within 7 business days |
| Patch release (when severity warrants) | 2-6 weeks depending on complexity |
| Public disclosure | After patched release on CRAN |
In scope:
- Code in this repository (
R/,src/,inst/,data/,tests/). - The pkgdown site (https://hugomachadorodrigues.github.io/edaphos/).
- CI workflows under
.github/workflows/.
Out of scope (please report directly to the upstream maintainer):
- Vulnerabilities in dependencies (Rcpp, RcppArmadillo, torch, terra, dagitty, bnlearn, ranger, ...).
- Vulnerabilities in CRAN / GitHub / Zenodo / OpenAlex platforms themselves.
All reports are treated as confidential. Reporters who request attribution in the patch release notes will be named (with permission). Anonymous reports are equally welcome and will be acknowledged generically.
edaphos is a research-grade open-source package with no
commercial backer; we do not run a bug-bounty programme.
Significant disclosures will be acknowledged in the README and
any associated peer-reviewed publication.