We take the security of this project seriously. This document outlines how to responsibly report vulnerabilities and how we manage security-related issues.
Security updates are provided only for active development branches:
| Version | Status |
|---|---|
main |
β Supported |
| All others | β Not actively maintained |
Please ensure you are testing against the latest version before reporting any issues.
If you discover a security issue, please do not create a public GitHub issue.
Instead, contact us privately via email:
π§ security@example.com
Include the following details to help us respond quickly:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Screenshots or PoC if applicable
- Any suggested fixes
We aim to respond within 72 hours and keep you updated throughout the process.
To protect users, we follow a standard responsible disclosure practice:
- Vulnerability is reported privately
- We investigate and confirm the issue
- We develop a fix and prepare a security release
- We publish advisories after mitigation is available
Credit will be given for responsible and helpful security reports, unless you request anonymity.
To minimize risks when contributing:
- Do not commit secrets, API keys, or credentials
- Avoid introducing unsafe dependencies
- Validate and sanitize all user inputs
- Follow secure coding guidelines for our stack (e.g., OWASP Top 10)
- Run tests and linters before submitting PRs
- If unsure, ask in the Pull Request conversation
We use automated vulnerability scanning where possible:
- GitHub Dependabot Alerts
- npm audit / or equivalent tool in your stack
Please respond promptly to flagged issues or dependency upgrade requests.
We track CVEs, advisories, and improvement needs through GitHub Security Advisories.
If you find something missing, report it privately as described above.
Thank you for helping keep this project and its users secure β€οΈ