Documentation Index
Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt
Use this file to discover all available pages before exploring further.
Reporting a Vulnerability
If you discover a security vulnerability in Provisionr Workspace CLI or any of its dependencies, please report it responsibly. We take all security reports seriously and will respond promptly. Contact: security@provisionr.io Do not open a public issue for security vulnerabilities. Public disclosure before a fix is available puts all users at risk.What to Include
To help us triage and resolve the issue quickly, please include:- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Affected versions (check
prv --versionor the SBOM) - Any proof-of-concept code or screenshots
- Your preferred method of contact for follow-up
Scope
The following are in scope for responsible disclosure:- Provisionr Workspace CLI — the compiled binary and its source code
- Provisionr API — the backend API the CLI communicates with
- Dependencies — third-party packages bundled in the CLI binary (see the SBOM for the full inventory)
- Distribution infrastructure — Homebrew tap, binary hosting, update mechanisms
Out of Scope
- Social engineering attacks against Provisionr employees or users
- Denial of service (DoS/DDoS) attacks
- Vulnerabilities in third-party services not operated by Provisionr
- Issues that require physical access to a user’s machine
- Vulnerabilities in software or infrastructure not maintained by Provisionr
Response Timeline
| Stage | Target |
|---|---|
| Acknowledgment | Within 48 hours of report |
| Initial triage | Within 7 days |
| Fix for critical severity | Within 30 days |
| Fix for high severity | Within 60 days |
| Fix for medium/low severity | Next scheduled release |
Safe Harbor
Provisionr will not pursue legal action against security researchers who:- Act in good faith to avoid privacy violations, data destruction, and service disruption
- Only interact with accounts they own or with explicit permission of the account holder
- Report vulnerabilities through the channels described in this policy
- Allow reasonable time for the issue to be resolved before any public disclosure
Recognition
We believe in recognizing the contributions of security researchers. With your permission, we will:- Credit you by name (or handle) in our release notes and security advisories
- Acknowledge your contribution in the relevant SBOM changelog entry
Related Documentation
- Software Bill of Materials (SBOM) — full dependency inventory with version tracking
- Dependency Narrative — supply chain analysis and risk assessment for security reviewers