Security

Reporting a vulnerability

If you've found a security issue in xiboplayer, please report it privately to:

PGP fingerprint:

991E 74C3 A033 673F 4FCF  25B8 B7D2 5A81 02F6 3D6A

Public key: keys.openpgp.org · keyserver.ubuntu.com

For GitHub-based reporting, use GitHub Security Advisories on any of our repositories.

Response policy

We acknowledge reports as soon as we reasonably can. We make no commitment to any specific response time, investigation depth, or patch schedule. We investigate reports on a best-effort basis as maintainer time allows.

Please do not disclose vulnerabilities publicly before we've had an opportunity to investigate.

In scope

• The source code in any xibo-players organisation repository.
• Binary releases on dl.xiboplayer.org and github.com/xibo-players/*/releases.

Out of scope

• Infrastructure we don't control.
• Third-party dependencies — please report those to their upstream maintainers.
• Deployments operated by others.

What we publish

• Security advisories — when we fix an issue we consider worth advising on, we publish a GitHub Security Advisory with CVE reference (when one is assigned) and remediation guidance.
• Software inventories — every release ships a CycloneDX SBOM for transparency. See the GitHub release page for download.
• Signed releases — all binary artifacts are GPG-signed. Public key: 04A9 1796 92E8 6CF1 1D10 3CBF 5A30 EA2B B69D 32F2 (Xibo Players <packages@xiboplayer.org>).

Vulnerability reporting to EU authorities

The xiboplayer project is an open-source project and is not registered as a CRA manufacturer or open-source steward under EU Regulation 2024/2847 (Cyber Resilience Act). If you believe an issue in a specific deployment of xiboplayer constitutes a reportable incident under EU law, please report it to:

• The deployment operator (usually your vendor).
• Your national CSIRT.
• ENISA's single reporting platform if and when available.

We will cooperate with legitimate information requests from market surveillance authorities about the OSS project.