Security fixes are applied to the latest published release line of fastlane-plugin-testingbot.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, use one of the following private channels:
- Preferred — GitHub private vulnerability reporting: open the repository's Security tab and click "Report a vulnerability". This keeps the report private until a fix is released.
- Email: send the details to info@testingbot.com with
[SECURITY] fastlane-plugin-testingbotin the subject.
Please include:
- a description of the vulnerability and its impact,
- the affected version(s),
- steps to reproduce or a proof of concept,
- any suggested remediation, if known.
We will acknowledge your report within 5 business days, keep you informed of progress, and credit you in the release notes once a fix is published (unless you prefer to remain anonymous). Please give us a reasonable amount of time to address the issue before any public disclosure.
This plugin uses your TestingBot API key and secret to authenticate to TestingBot Storage. Keep them safe:
- Never commit credentials to source control or paste them into issues, logs, or pull requests.
- Provide them via the
TESTINGBOT_KEY/TESTINGBOT_SECRETenvironment variables, ideally from your CI provider's encrypted secrets store — not hard-coded in yourFastfile. - The plugin marks both options as
sensitive, so fastlane masks them in its output. Still, review any logs you share. - Credentials are transmitted only to
https://api.testingbot.comover HTTPS using HTTP Basic authentication. The plugin never logs, persists, or forwards them anywhere else. - If you believe a key/secret has been exposed, rotate it immediately from your TestingBot account.