We release patches for security vulnerabilities for the following versions:

We take security seriously. If you discover a security vulnerability, please follow these steps:

Please do not create a public GitHub issue for security vulnerabilities.

Send an email to: security@glpx.pro

Include the following information:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if any)
• Your contact information

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Varies based on severity
  • Critical: 1-3 days
  • High: 1-2 weeks
  • Medium: 2-4 weeks
  • Low: Best effort

• We will acknowledge receipt of your vulnerability report
• We will investigate and validate the issue
• We will develop a fix and coordinate disclosure
• We will credit you for the discovery (unless you prefer to remain anonymous)

• Never commit API keys, passwords, or secrets to the repository
• Use environment variables for sensitive configuration
• Use configs/Juleson.example.yaml as a template
• Keep configs/Juleson.yaml in .gitignore

# Set environment variables
export JULES_API_KEY="your-api-key"

# Or use configuration file
cp configs/Juleson.example.yaml configs/Juleson.yaml
# Edit configs/Juleson.yaml and add your API key

• Keep dependencies up to date: go get -u ./...
• Review code before executing templates
• Use least privilege for file system operations
• Validate input from external sources

Templates execute operations on your file system. Review templates before executing:

# Review template before execution
./bin/juleson template view modular-restructure

# Execute with dry-run first
./bin/juleson execute --template modular-restructure --project ./test --dry-run

All communications with Jules API use HTTPS. Ensure your system's CA certificates are up to date.

The tool requires read/write access to your project directories. Be cautious when running on sensitive codebases.

Security updates will be released as patch versions and announced via:

• GitHub Security Advisories
• Release notes
• Email notifications (for reported vulnerabilities)

This security policy applies to:

• All code in the Juleson repository
• Official binary releases
• Docker images (if applicable)

Out of scope:

• Third-party integrations
• User-created custom templates
• Forked repositories

We currently do not offer a bug bounty program, but we greatly appreciate responsible disclosure.

We maintain a SECURITY_CONTRIBUTORS.md file to acknowledge security researchers who have helped improve the project's security.

Thank you for helping keep Juleson and our users safe!