Skip to content

Security: testingbot/testingbot-fastlane-plugin

Security

SECURITY.md

Security Policy

Supported Versions

Security fixes are applied to the latest published release line of fastlane-plugin-testingbot.

Version Supported
0.1.x
< 0.1

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, use one of the following private channels:

  1. Preferred — GitHub private vulnerability reporting: open the repository's Security tab and click "Report a vulnerability". This keeps the report private until a fix is released.
  2. Email: send the details to [email protected] with [SECURITY] fastlane-plugin-testingbot in the subject.

Please include:

  • a description of the vulnerability and its impact,
  • the affected version(s),
  • steps to reproduce or a proof of concept,
  • any suggested remediation, if known.

We will acknowledge your report within 5 business days, keep you informed of progress, and credit you in the release notes once a fix is published (unless you prefer to remain anonymous). Please give us a reasonable amount of time to address the issue before any public disclosure.

Handling credentials safely

This plugin uses your TestingBot API key and secret to authenticate to TestingBot Storage. Keep them safe:

  • Never commit credentials to source control or paste them into issues, logs, or pull requests.
  • Provide them via the TESTINGBOT_KEY / TESTINGBOT_SECRET environment variables, ideally from your CI provider's encrypted secrets store — not hard-coded in your Fastfile.
  • The plugin marks both options as sensitive, so fastlane masks them in its output. Still, review any logs you share.
  • Credentials are transmitted only to https://api.testingbot.com over HTTPS using HTTP Basic authentication. The plugin never logs, persists, or forwards them anywhere else.
  • If you believe a key/secret has been exposed, rotate it immediately from your TestingBot account.

There aren't any published security advisories