We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 0.25.x | ✅ |
| 0.24.x | ✅ |
| < 0.24 | ❌ |
We take the security of QQQ seriously. If you believe you have found a security vulnerability, please report it to us responsibly.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please send an email to security@qrun.io with:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions of the software
- Potential impact of the vulnerability
- Any suggested fixes (optional)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: We will investigate and validate the issue within 7 days
- Updates: We will keep you informed of our progress
- Resolution: We aim to resolve critical issues within 30 days
- Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)
- We follow coordinated disclosure
- We will work with you to understand and resolve the issue
- We ask that you give us reasonable time to address the issue before public disclosure
- We will publish a security advisory once the issue is resolved
When using QQQ in production:
- Keep dependencies updated - Run
mvn versions:display-dependency-updatesregularly - Use environment variables for secrets - Never commit credentials
- Enable authentication on all endpoints
- Review entity permissions - Use role-based access control
- Monitor logs for suspicious activity
- Use HTTPS for all external communications
See the QQQ Security Documentation for:
- Authentication setup
- Authorization configuration
- Audit logging
- Data encryption
Security advisories are published at: https://github.com/QRun-IO/qqq/security/advisories
Thank you for helping keep QQQ and our users safe!