| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take the security of SwachhZero seriously. If you discover a security vulnerability, please report it responsibly.
- DO NOT create a public GitHub issue for security vulnerabilities
- Email security@swachhzero.org with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if available)
- You will receive an acknowledgment within 48 hours
- We will provide a detailed response within 5 business days
- Acknowledgment: Within 48 hours of your report
- Assessment: We will evaluate the severity and impact within 5 business days
- Fix Timeline: Critical vulnerabilities will be patched within 7 days; others within 30 days
- Disclosure: We will coordinate disclosure with you and credit your contribution (unless you prefer anonymity)
The following are in scope for security reports:
- Authentication and authorization bypass
- Data leakage or exposure of sensitive information
- SQL injection, XSS, CSRF, or other injection attacks
- Privilege escalation
- Denial of service (application-level)
- Cryptographic weaknesses
- Insecure default configurations
- Dependency vulnerabilities with active exploits
- Social engineering attacks
- Physical attacks
- Denial of service via volumetric attacks
- Issues in third-party services not directly managed by SwachhZero
- Issues requiring physical access to a user's device
- We follow a 90-day coordinated disclosure policy
- Security advisories will be published via GitHub Security Advisories
- CVE identifiers will be requested for confirmed vulnerabilities
- Contributors who report valid vulnerabilities will be acknowledged in our security advisories
- Never commit secrets, API keys, or credentials to the repository
- Use environment variables for all sensitive configuration
- Follow the principle of least privilege in all code
- Validate and sanitize all user inputs
- Keep dependencies up to date
- Use parameterized queries for all database operations
- Email: security@swachhzero.org
- PGP Key: Available upon request
Thank you for helping keep SwachhZero and its users safe.