We take security seriously and maintain security updates for the following versions:
| Version | Supported |
|---|---|
| main | ✅ |
| 1.x.x | ✅ |
If you discover a security vulnerability in Setlist Studio, please report it responsibly:
- DO NOT create a public GitHub issue for security vulnerabilities
- Send an email to [security@setliststudio.com] with details about the vulnerability
- Include steps to reproduce the issue if possible
- Allow up to 48 hours for an initial response
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any suggested fixes (if available)
- Your contact information
- Initial Response: Within 48 hours
- Assessment: Within 1 week
- Fix Development: Timeline depends on severity
- Disclosure: Coordinated disclosure after fix is available
- Daily Security Scans: Automated vulnerability scanning
- Dependency Updates: Automated dependency security updates via Dependabot
- Static Analysis: CodeQL and Semgrep for code security analysis
- Container Scanning: Docker image vulnerability scanning with Trivy
- Secret Detection: Automated scanning for exposed secrets
- Secure Coding Guidelines: Comprehensive security requirements in development workflow
- Security Code Review: All changes require security review
- Input Validation: All user inputs are validated and sanitized
- Authentication: OAuth-based authentication with secure session management
- Authorization: Resource-based authorization ensuring users can only access their data
- HTTPS Enforcement: All communication over HTTPS in production
- Security Headers: Comprehensive security headers for XSS, CSRF, and clickjacking protection
- Container Security: Non-root user, minimal attack surface
- Database Security: Parameterized queries, encrypted connections
- Secrets Management: No hardcoded secrets, environment variables and Key Vault
- Rate Limiting: API rate limiting to prevent abuse
- Audit Logging: Security events are logged and monitored
- Never commit secrets - Use environment variables or secure vaults
- Validate all inputs - Sanitize and validate user data
- Use parameterized queries - Prevent SQL injection attacks
- Implement proper authorization - Verify user permissions
- Follow secure coding guidelines - See
.github/copilot-instructions.md
- Keep dependencies updated - Regularly update packages
- Review new dependencies - Evaluate security posture of new packages
- Monitor vulnerability alerts - Address security advisories promptly
- Security testing - Include security test cases
- Edge case testing - Test with malicious inputs
- Authentication testing - Verify auth flows work correctly
- Test dependency isolation - Test dependencies with vulnerabilities are isolated from production
Test dependencies may include packages with known vulnerabilities that are acceptable in test-only scenarios:
-
Testcontainers.PostgreSql - Contains PostgreSQL container image CVEs that are suppressed because:
- Used only in isolated test containers, not production
- PostgreSQL container runs temporarily during tests and is destroyed afterward
- Latest stable version (4.8.1) is maintained
- CVEs are for PostgreSQL server, not the Testcontainers library
- Tests are currently skipped by default and run manually when needed
-
Suppression Review - Test dependency suppressions are reviewed quarterly and updated when:
- Newer secure versions become available
- Alternative testing approaches are identified
- Test dependencies are no longer needed
For general security questions or concerns:
- Email: security@setliststudio.com
- Security Officer: Eugene CP (@eugenecp)
We appreciate the security research community and responsible disclosure of vulnerabilities. Contributors who report valid security issues may be acknowledged in our security hall of fame (with their permission).
This security policy is reviewed and updated regularly to ensure it reflects our current security practices.