We actively support the following versions with security updates:

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

Please do not create a public GitHub issue for security vulnerabilities, as this could put users at risk.

Report security vulnerabilities through one of these channels:

1. Navigate to the Security tab
2. Click "Report a vulnerability"
3. Fill out the security advisory form

Use GitHub Security Advisories (see above) as the primary contact method.

Include in your report:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

After you report a vulnerability:

• Within 48 hours: We will acknowledge receipt of your report
• Within 7 days: We will provide an initial assessment
• Within 30 days: We aim to release a fix or provide a detailed response

We follow responsible disclosure practices:

• We will credit you for discovering the vulnerability (unless you prefer anonymity)
• We request that you keep the vulnerability confidential until we release a fix
• Once patched, we will:
  1. Release a security update
  2. Publish a security advisory
  3. Credit the reporter (if desired)

This project includes:

• Dependency scanning via GitHub Dependabot
• CodeQL security analysis on all commits
• Trivy security scanning for containers
• Static analysis (PSScriptAnalyzer for PowerShell)
• No storage of credentials or sensitive data

When you use this scaffolder to create Zotero plugins:

• Templates do not include any network access code by default
• No analytics or tracking code included
• All template code is visible and auditable
• No obfuscated or minified code in templates

• XXHash64/SHA256 checksums for all generated files
• Audit trail with timestamps
• Tamper detection capabilities
• Verification commands available

1. Review Generated Code: Always review the code generated by the scaffolder before use
2. Keep Dependencies Updated: Regularly update npm/Racket packages in generated projects
3. Verify Downloads: Check file hashes if downloading releases
4. Use Official Sources: Only download from official GitHub releases

1. Input Validation: Always validate user input in your plugins
2. Avoid eval(): Never use eval() or Function() with user input
3. Secure Data Storage: Use Zotero's secure storage APIs for sensitive data
4. Content Security: Be cautious with XUL overlays and content scripts
5. Update Dependencies: Keep all plugin dependencies up-to-date

The PowerShell scaffolder executes C# code for XXHash64 computation:

• Code is embedded in the script (not downloaded)
• All code is visible and auditable
• No network access required
• Runs with user's permissions only

The Racket scaffolder executes Lisp code:

• All code is part of the repository
• No remote code execution
• Uses standard Racket libraries only
• Runs in user context

The Bash scaffolder:

• Uses standard Unix utilities
• May call external tools (git, xxhsum)
• No remote downloads during execution
• Runs with user permissions

1. Day 0: Vulnerability reported
2. Day 1-2: Acknowledgment sent to reporter
3. Day 1-7: Initial assessment and triage
4. Day 7-30: Development and testing of fix
5. Day 30: Public disclosure (if fix ready)

If a fix requires more than 30 days, we will:

• Communicate timeline to reporter
• Provide regular updates
• Consider temporary mitigations

We thank the following researchers for responsibly disclosing security issues:

No vulnerabilities have been reported yet.

• GitHub Security Advisories
• Dependabot Alerts
• Code Scanning Alerts

This project is licensed under AGPL-3.0, which requires:

• Source code availability for network-accessible services
• Disclosure of modifications
• License compatibility for derivative works

See LICENSE for full details.

If you have questions about security that aren't covered here:

• Open a GitHub Discussion
• Review our Code of Conduct

This security policy is subject to change. Last updated: November 2024