We actively support security updates for the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
-
GitHub Security Advisories (Preferred)
- Go to https://github.com/YOUR_ORG/YOUR_REPO/security/advisories/new
- Click "Report a vulnerability"
- Fill out the form with details about the vulnerability
-
Email
- Email: security@example.com
- Include as much detail as possible about the vulnerability
- Include steps to reproduce if applicable
-
Private Security Contact
- Contact: @security-team
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
- Any additional context
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution: Depends on severity and complexity
We follow these security best practices:
- Regular dependency updates via Dependabot
- Automated security scanning in CI/CD
- CodeQL analysis for code security
- Secret scanning for exposed credentials
- Regular security audits
- Security-focused code reviews
Security updates are released as soon as possible after a vulnerability is confirmed and a fix is available. We will:
- Acknowledge receipt of the vulnerability report
- Confirm the vulnerability and assess its impact
- Develop and test a fix
- Release the fix in a security update
- Publish a security advisory (if applicable)
This security policy applies to:
- All code in this repository
- Dependencies and third-party packages
- Infrastructure and deployment configurations
- CI/CD pipelines
The following are considered out of scope:
- Social engineering attacks
- Physical security issues
- Denial of service attacks
- Issues requiring physical access to devices
- Issues in third-party services we use
We appreciate responsible disclosure and may recognize security researchers who help us improve our security.