We deeply appreciate any effort to disclose responsibly.
If you would like to report a vulnerability, or discovered a security issue in Spunky Bot, please e-mail us directly at: security@spunkybot.de. This will allow us to assess the risk, and make a fix available before we add a bug report to the GitHub repository.
For non-critical matters, we prefer customers open a ticket in our issue tracker.
We take all disclosures very seriously and will do our best to rapidly respond and verify the vulnerability before taking the necessary steps to fix it.
We thank you in advance for helping make Spunky Bot safe for everyone.
If you would like to secure your communications with us, the following PGP key can be used.
The public key ID for security@spunkybot.de is 0x7EC01A2590514A31, and this public key is available from most commonly used keyservers with fingerprint 06BF 8E04 B244 4ED7 A3D8 9FB3 7EC0 1A25 9051 4A31.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQENBFk8/fsBCADejWQoEY3PLgSr0BbShZUUjz4iTr6UYCVj5au/q758eQwMeVF5 0IpeVViDtGzYZVOxQQqz7kfFqWvIx9qanU1v35HTDq3ztAFQHjijlyW9vwGbmF5t Nc9lJwXsO2qCkhz8+2cgAAfVhqEqdHWei5o8TV5sfyxkXO4HeYsjLBneSMD1fYdb Cow31fLdm6sspJNeWvkDc3y1WLkwk77DtLSJM/L42W5sUSuah9Vxq2OUa0rEwPjT PXveTtONWd/m/30gGN1xzGuo60eDZWOvIfIIyHTNbOjDQk0C5yDXmy2BjOrksG3J 0KAOQJyzetpCRkyRoLQxrIx91bil4WOQopzjABEBAAG0K1NwdW5reSBCb3QgU2Vj dXJpdHkgPHNlY3VyaXR5QHNwdW5reWJvdC5kZT6JATkEEwEIACMFAlk8/fsCGwMH CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRB+wBolkFFKMSxUB/oDU/hT75Ly LKIO/SzIPgmKjCca4GK5L0DPz8X75ZlKYo3M5C4ZzxPDzgSP/SOzeEJ6RsBve/Jc jPPXY5CmY6i73V8vcPMiXTe6lfad1+hwU7fu0YFoDat4Gw/qbLA4QfgeqTGa/3wE AiL3+EFvWJA+kBDNmVi6MWXq6pZC3dSG6rg6crDRwaa+/Yv7hp2VXviAPvA6CCgr xCxp4e1lOS2x40S7fIhqF8Ki94i9zwl0ALYVBBMARWqEQmujLQSReJjv5ctkh7R+ 45qsOMbcimKq0Gsy6+luQ/PkR2wYHfSt9VeMJCYHXYrt+2uTjH2FuXOeHaDfF08j PqyZqmG1JPC7uQENBFk8/fsBCACeosYbgCq7xRmzuCgka03Pok5OtO0sYdUWrUZa Timu0v+Di6jRQNVIZSa74H7qH24sELzEagVYUKgfewAxy2zgDE1DwRz2PHKfGPMI fjr8DtLNCALblDXy6RbFP67pBXcmOqE2+7CkbrqILQUmQ+ordP1wxg3Vv4IBWEcJ V2j9rztD7ACim1NRDInoFL0ZgqhTimKfJqMFr2rN3BGnxAwQMjBiRZz3NGyRSZ+L S6iNwVBan+SBmlE6zBQoe3DohI6+ADYidwrOHUAv6iNRfOEbdAog8qWTOZBAQqlX H1/pYoBxTuUwL3hwpInKJWNFAvDXOPFbJlFigDRmW09Os8W3ABEBAAGJAR8EGAEI AAkFAlk8/fsCGwwACgkQfsAaJZBRSjF1ewgA0xExnBhUkE8pek4Z2bv6CZ9ExHNi DWU75vtZS9Evjqj+m5xjdarRwJyqNjF2ST+EVvgH2IcEFfg+rVPBTsxdiUZWSE0y Vcg4/D1XIPK8kfI+T20YxY4tuGeUHxUmSL4aaWjW3e0/NMWDysCANuBiP8mhYLA4 IhEWWcY/LAGR7m7FBnmo778MBhThcB11cjkAc8Pm0Xb3TIEV/zvoGtYV9uxvFV+r VpvaXwBI9pmZGzHxt5QeXwW6sbYDlsjFulLRklxCPJvN2Vwqjh85QjxCbOMdibXf q0T2HaN0Jt4POCiF42VM1a8HjER01piqBAiwNj/JWCv3YQknHiwA4sYzcg== =wrwK -----END PGP PUBLIC KEY BLOCK-----
If you would like to verify the checksum and signature of a download, please perform the following steps:
For example:
# Download the package and signature files. wget https://spunkybot.de/download/spunkybot-1.12.0.tar.gz wget https://spunkybot.de/download/spunkybot-1.12.0.tar.gz.asc wget https://spunkybot.de/download/1.12.0/SHASUMS wget https://spunkybot.de/download/1.12.0/SHASUMS.sig # Verify the SHASUMS matches the package file. shasum -a 256 -c SHASUMS # Import our public key - one-time step. $ wget -qO- https://www.alexanderkress.de/pgp_github_key.asc | gpg --import # Verify the signature files. $ gpg --verify spunkybot-1.12.0.tar.gz.asc spunkybot-1.12.0.tar.gz $ gpg --verify SHASUMS.sig SHASUMS