| Version | Supported |
|---|---|
| 0.3.x | Yes |
| < 0.3 | No |
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please report them privately:
- Email: Send a detailed report to [INSERT SECURITY EMAIL]
- GitHub Security Advisory: Use GitHub's private vulnerability reporting
- Description of the vulnerability
- Steps to reproduce
- Affected component(s):
document-parser/,frontend/,docker-compose.yml, etc. - Impact assessment (data exposure, denial of service, privilege escalation, etc.)
- Suggested fix (if any)
| Step | SLA |
|---|---|
| Acknowledgment | < 48 hours |
| Initial assessment | < 7 days |
| Fix developed | < 14 days (critical), < 30 days (other) |
| Public disclosure | After fix is released |
- We acknowledge your report and assign a severity level
- We develop a fix in a private branch (never pushed publicly before the advisory)
- We release the fix and publish a GitHub Security Advisory
- We credit the reporter (unless they prefer anonymity)
- Never commit secrets, API keys, or credentials
- Never disable CORS or security middleware without review
- Validate all user input at the API boundary
- Keep dependencies up to date (
pip audit,npm audit) - Follow the OWASP Top 10 guidelines