We release patches for security vulnerabilities in the following versions:

We take the security of Leaven seriously. If you believe you have found a security vulnerability, please report it to us privately.

Please do not report security vulnerabilities through public GitHub issues.

1. Email: Send an email to security@pegasusheavy.com with:

   • A description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact of the vulnerability
   • Any suggested fixes (optional)

2. GitHub Security Advisories: You can also use GitHub's private vulnerability reporting.

• Acknowledgment: We will acknowledge receipt of your report within 48 hours.
• Communication: We will keep you informed of our progress toward a fix.
• Timeline: We aim to release a fix within 90 days of confirmation.
• Credit: We will publicly credit you for the discovery (unless you prefer to remain anonymous).

The following are in scope for security reports:

• All @leaven-graphql/* packages
• The Leaven documentation site
• Any official Leaven tooling or integrations

• Vulnerabilities in dependencies (please report these to the respective maintainers)
• Denial of service attacks
• Social engineering attacks
• Physical security issues

When using Leaven in production:

1. Disable introspection in production:

   createExecutor({ schema, introspection: false });

2. Set query complexity limits:

   createExecutor({
     schema,
     maxDepth: 10,
     maxComplexity: 1000
   });

3. Use HTTPS for all GraphQL endpoints

4. Implement rate limiting at the HTTP layer

5. Validate and sanitize all user inputs

6. Keep dependencies updated regularly

Security updates are released as patch versions. We recommend:

• Subscribing to GitHub Security Advisories
• Using Dependabot to keep dependencies updated
• Monitoring the releases page for security announcements