We take security seriously at MAWI MAN. The following versions of our projects are currently being supported with security updates:
| Version | Supported |
|---|---|
| Latest | β Yes |
| Beta | β Yes |
| Alpha | |
| Legacy | β No |
If you discover a security vulnerability in any MAWI MAN project, please report it responsibly. We appreciate your efforts to improve the security of our projects.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing us at:
π Security Email: ayoub@mawiman.com
When reporting a vulnerability, please include the following information:
- Project Name: Which MAWI MAN project is affected
- Vulnerability Type: What type of vulnerability (e.g., XSS, SQL injection, etc.)
- Location: Where the vulnerability exists (file path, line number, etc.)
- Description: A clear description of the vulnerability
- Impact: What could an attacker accomplish with this vulnerability
- Steps to Reproduce: Detailed steps to reproduce the vulnerability
- Proof of Concept: If possible, include a proof of concept
- Suggested Fix: If you have ideas for how to fix the vulnerability
We are committed to responding to security reports promptly:
- Initial Response: Within 24 hours
- Status Update: Within 72 hours
- Resolution Timeline: Varies based on complexity, but we aim for:
- Critical: 1-7 days
- High: 7-14 days
- Medium: 14-30 days
- Low: 30-90 days
We believe in recognizing security researchers who help us improve our projects:
- Hall of Fame: Security researchers will be listed in our security hall of fame (with permission)
- Acknowledgment: Public acknowledgment in release notes and security advisories
- Coordination: We will work with you on coordinated disclosure
- Receipt: We acknowledge receipt of your vulnerability report
- Assessment: We assess the vulnerability and determine its severity
- Development: We develop and test a fix
- Coordination: We coordinate with you on disclosure timeline
- Release: We release the security update
- Disclosure: We publish a security advisory
When contributing to MAWI MAN projects, please follow these security best practices:
- Input Validation: Always validate and sanitize user input
- Authentication: Implement proper authentication and authorization
- Encryption: Use strong encryption for sensitive data
- Dependencies: Keep dependencies up to date
- Secrets: Never commit secrets, keys, or passwords to the repository
- HTTPS: Always use HTTPS in production
- Headers: Implement security headers (CSP, HSTS, etc.)
- CORS: Configure CORS properly
- XSS Protection: Implement XSS protection measures
- SQL Injection: Use parameterized queries
- Principle of Least Privilege: Grant minimum necessary permissions
- Error Handling: Don't expose sensitive information in error messages
- Logging: Log security events appropriately
- Updates: Keep all components updated
The following are generally considered out of scope for security reports:
- Social Engineering: Attacks that rely on social engineering
- Physical Access: Attacks requiring physical access to systems
- DoS/DDoS: Denial of service attacks
- Spam: Issues related to spam or abuse
- Rate Limiting: Missing rate limiting (unless it leads to a more serious vulnerability)
For security-related inquiries:
- Security Email: ayoub@mawiman.com
- General Contact: ayoub@mawiman.com
- Website: https://www.mawiman.com
Security updates and advisories will be published:
- GitHub Security Advisories: On the affected repository
- Release Notes: In the project's release notes
- Website: On our official website
- Email: To subscribers of our security mailing list
Thank you for helping keep MAWI MAN projects secure!
Β© MAWI MAN (Ayoub Alarjani) β All Rights Reserved