| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, report them via one of the following methods:
- GitHub Security Advisories: Use the Report a vulnerability button on the Security tab.
- Email: Send details to the repository maintainers listed in CODEOWNERS.
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if any)
| Action | Timeframe |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 5 business days |
| Fix or mitigation | Best effort, depends on severity |
| Level | Description | Response |
|---|---|---|
| Critical | Remote code execution, data exfiltration | Immediate patch |
| High | Authentication bypass, privilege escalation | Patch within 7 days |
| Medium | Information disclosure, denial of service | Patch within 30 days |
| Low | Minor issues, hardening improvements | Next scheduled release |
- Never commit secrets, credentials, or API keys.
- Use environment variables for all sensitive configuration (see
.env.example). - Keep dependencies up to date (Dependabot is configured for this).
- All PRs run Bandit security scanning automatically.
- Follow the principle of least privilege in OAuth and storage implementations.
We follow responsible disclosure. Once a fix is available, we will:
- Publish a GitHub Security Advisory.
- Release a patched version.
- Credit the reporter (unless they prefer anonymity).