Security

Report a vulnerability

SECURITY.md

Security Policy

Reporting a Vulnerability

Please report security vulnerabilities to info@stepsecurity.io

Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)
GHSA-46g3-37rh-v698 published Mar 16, 2026 by varunsh-coder

Moderate
Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)
GHSA-cpmj-h4f6-r6pq published Feb 7, 2026 by varunsh-coder

Moderate
Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)
GHSA-g699-3x6g-wm3g published Mar 16, 2026 by varunsh-coder

Moderate
Evasion of 'disable-sudo' policy
GHSA-mxr3-8whj-j74r published Apr 21, 2025 by varunsh-coder

Moderate
Command injection weaknesses in `setup.ts` and `arc-runner.ts`
GHSA-g85v-wf27-67xc published Nov 18, 2024 by varunsh-coder

Low

Learn more about advisories related to step-security/harden-runner in the GitHub Advisory Database