We release security updates for the following versions:
| Version | Supported |
|---|---|
| Latest | β Fully supported |
| LTS | β Security fixes |
| < LTS | β No longer supported |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via:
- Email: security@w3j.dev
- GitHub Security Advisory: Report a vulnerability
We will acknowledge receipt of your vulnerability report within 48 hours and will send you regular updates about our progress.
When reporting a vulnerability, please include:
- Description: Clear description of the vulnerability
- Impact: What could an attacker achieve?
- Steps to reproduce: Detailed instructions
- Proof of concept: If possible
- Suggested fix: If you have one
| Phase | Timeline |
|---|---|
| Initial Response | 48 hours |
| Vulnerability Assessment | 5 business days |
| Fix Development | Depends on severity |
| Fix Release | Within 90 days |
| Public Disclosure | After fix is released |
- Dependency scanning: Automated vulnerability checks
- Code analysis: Static analysis with CodeQL
- Secret detection: Automated scanning for secrets
- Regular audits: Security audits of dependencies
-
Never commit secrets:
- API keys
- Passwords
- Private tokens
- Certificates
-
Use environment variables for sensitive configuration
-
Enable 2FA on your GitHub account
-
Keep dependencies updated
- Input validation and sanitization
- Parameterized queries (prevent SQL injection)
- Output encoding (prevent XSS)
- Proper authentication and authorization
- Secure session management
- Use HTTPS everywhere
- Secure headers (HSTS, CSP, etc.)
- Regular security updates
- Principle of least privilege
- Encryption at rest and in transit
- Proper access controls
- Data minimization
- Secure deletion
We appreciate security researchers who responsibly disclose vulnerabilities:
- Security Team: security@w3j.dev
- General Inquiries: contact@w3j.dev
Thank you for helping keep our projects and users safe! π