We actively maintain and provide security updates for the following versions of EnginerView Portfolio:
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security seriously and appreciate your help in keeping EnginerView Portfolio and its users safe.
If you discover a security vulnerability, please report it responsibly by following these steps:
- Do NOT create a public GitHub issue
- Do NOT discuss the vulnerability publicly until it has been resolved
- Email us directly at security@voxhash.dev with the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes or mitigations
Please include as much of the following information as possible:
- Vulnerability Type: (e.g., XSS, CSRF, SQL injection, etc.)
- Affected Components: Which parts of the application are affected
- Severity: Your assessment of the severity (Critical, High, Medium, Low)
- Proof of Concept: Code or steps to reproduce the issue
- Environment: Browser, OS, Node.js version, etc.
- Impact: What could an attacker achieve with this vulnerability
We will respond to security reports within 48 hours and provide:
- Confirmation of receipt
- Initial assessment of the vulnerability
- Timeline for resolution
- Regular updates on progress
- Acknowledgment: We'll confirm receipt within 48 hours
- Investigation: We'll investigate and validate the report
- Fix Development: We'll develop and test a fix
- Release: We'll release a security update
- Disclosure: We'll coordinate public disclosure
We follow responsible disclosure practices:
- No public disclosure until a fix is available
- Coordinated disclosure with the reporter
- Credit given to security researchers (unless they prefer anonymity)
- Security advisory published after the fix is released
- Keep dependencies updated: Regularly update your dependencies
- Use environment variables: Never commit API keys or secrets
- Enable security features: Use HTTPS, security headers, etc.
- Regular backups: Keep regular backups of your data
- Monitor logs: Watch for suspicious activity
- Code review: All code changes are reviewed for security issues
- Dependency scanning: Regular security scans of dependencies
- Input validation: All user inputs are validated and sanitized
- Output encoding: All outputs are properly encoded
- Authentication: Secure authentication and session management
- Authorization: Proper access controls and permissions
- HTTPS Enforcement: All communications use HTTPS
- Security Headers: Comprehensive security headers
- Input Validation: Server-side validation of all inputs
- Output Encoding: Proper encoding of all outputs
- CSRF Protection: Cross-Site Request Forgery protection
- XSS Prevention: Cross-Site Scripting prevention
- SQL Injection Prevention: Parameterized queries
- Rate Limiting: API rate limiting and abuse prevention
- Environment Variables: Sensitive data stored in environment variables
- Secret Management: Secure handling of API keys and secrets
- Access Controls: Proper file and directory permissions
- Network Security: Secure network configurations
- Remote code execution
- Authentication bypass
- Privilege escalation
- Data breach or exposure
- Complete system compromise
- Cross-site scripting (XSS)
- SQL injection
- Cross-site request forgery (CSRF)
- Authentication vulnerabilities
- Authorization bypass
- Information disclosure
- Denial of service
- Input validation issues
- Configuration problems
- Weak cryptography
- Information leakage
- Minor configuration issues
- Non-critical input validation
- Cosmetic security issues
- Security patches are released as soon as possible
- Critical vulnerabilities are patched within 24-48 hours
- High vulnerabilities are patched within 1 week
- Medium/Low vulnerabilities are patched in the next regular release
Security updates are announced via:
- GitHub Releases: Tagged releases with security notes
- Email: Direct notification to security subscribers
- Documentation: Updated security documentation
- Changelog: Detailed changelog entries
- Dependency scanning: Regular scans for vulnerable dependencies
- Code analysis: Static analysis for security issues
- Penetration testing: Regular security testing
- Vulnerability scanning: Automated vulnerability detection
- Code review: Manual security code review
- Security testing: Manual security testing
- Threat modeling: Regular threat assessment
- Security audits: Periodic security audits
- Email: security@voxhash.dev
- Response Time: Within 48 hours
- Availability: 24/7 for critical issues
- Email: contact@voxhash.dev
- GitHub: @voxhash
- Website: voxhash.dev
We appreciate the security researchers and community members who help keep EnginerView Portfolio secure. Security researchers who responsibly disclose vulnerabilities will be acknowledged in our security advisories (unless they prefer anonymity).
This security policy is provided for informational purposes only. By reporting vulnerabilities, you agree to:
- Not publicly disclose the vulnerability until we have had a chance to address it
- Not use the vulnerability for malicious purposes
- Not access or modify data that doesn't belong to you
- Not disrupt our services or systems
Last Updated: January 2025
Next Review: March 2025