We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
- Do NOT create a public GitHub issue
- Email security details to: [security@yteyoh.com]
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Authentication/authorization bypasses
- SQL injection vulnerabilities
- Cross-site scripting (XSS)
- Sensitive data exposure
- Insecure token storage or transmission
- Rate limiting bypasses
- Any security-related issues
- Missing security headers (unless exploitable)
- Informational disclosure of non-sensitive data
- Denial of service (DoS) issues
- Issues requiring physical access
- Social engineering attacks
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 7 days
- High: 30 days
- Medium: 90 days
- Low: Next release
When using this library:
- Never commit credentials - Use environment variables or secrets management
- Use HTTPS - Always use HTTPS in production
- Keep dependencies updated - Regularly update dependencies
- Validate input - Always validate and sanitize user input
- Use strong secrets - Use strong, randomly generated client secrets
- Monitor tokens - Monitor token expiration and refresh
- Limit access - Use principle of least privilege
- Audit logs - Enable logging and monitor for suspicious activity
Security updates will be:
- Released as patch versions (e.g., 1.0.1)
- Documented in CHANGELOG.md
- Announced in release notes
We thank security researchers who responsibly disclose vulnerabilities. Contributors will be credited (with permission) in security advisories.