This repository contains educational curriculum and documentation only - no production software, application servers, or APIs. There are no versioned software releases to patch.
| Content | Supported |
|---|---|
| Curriculum documentation (docs/) | Current main branch |
| GitHub Actions workflows (.github/workflows/) | Current main branch |
| Build scripts (scripts/) | Current main branch |
| AI agent prompts (.github/prompts/, .github/agents/) | Current main branch |
Please do not report security vulnerabilities as public GitHub Issues. Public issues are visible to everyone, including people who might exploit the vulnerability before it is fixed.
This repository has Private Vulnerability Reporting enabled. To submit a report:
- Navigate to the Security tab of this repository
- Select "Report a vulnerability"
- Fill in the form with:
- A clear title describing the issue
- A detailed description of the vulnerability and its potential impact
- Steps to reproduce (if applicable)
- Your suggested fix (optional but appreciated)
- Submit - only the maintainers will see your report
Even though this is an educational repository, the following are genuine security concerns:
- Malicious content injected into curriculum files - documentation that contains links to phishing sites, malware downloads, or misleading instructions
- GitHub Actions workflow vulnerabilities - script injection risks in
.github/workflows/, insecure use ofGITHUB_TOKEN, or pull-request-triggered workflows that execute untrusted code - Hardcoded credentials - any real tokens, passwords, or API keys accidentally committed to any file
- Supply chain risks - compromised npm dependencies used by the build system
- Prompt injection in agent files - AI agent prompts (
.prompt.md,.agent.md) that could manipulate an LLM to produce harmful output
- Theoretical attacks with no realistic exploitation path
- Vulnerabilities in GitHub's own infrastructure (report those to GitHub directly at github.com/security)
- Broken links or outdated documentation (open a regular issue for those)
| Milestone | Target |
|---|---|
| Acknowledge receipt | Within 3 business days |
| Initial assessment | Within 7 business days |
| Fix deployed (if confirmed) | Within 30 days for critical/high; 90 days for medium/low |
| Public disclosure | After fix is deployed, or coordinated with reporter |
This curriculum is designed to teach GitHub to workshop participants. The primary security risks are:
- Documentation accuracy - incorrect instructions that could cause participants to configure their systems insecurely
- Workflow integrity - GitHub Actions that run on pull requests from forks require careful scoping to prevent privilege escalation
- Dependency security - the build system uses Node.js packages that must be kept up to date
Security researchers who responsibly disclose valid vulnerabilities will be credited in the repository's release notes (unless they prefer to remain anonymous).
For general questions about the curriculum, open a regular issue. For security concerns, use private reporting above.