We actively maintain and support the following versions:

We take the security of Time-Machines-Builders seriously. If you discover a security vulnerability, please follow these steps:

Please do not open a public GitHub issue for security vulnerabilities. This helps prevent malicious actors from exploiting the vulnerability before it can be fixed.

1. Navigate to the repository's Security tab
2. Click "Report a vulnerability"
3. Fill out the security advisory form with:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

Alternatively, you can report via:

• Email: security@time-machines-builders.dev (if available)
• GitHub Security Advisory: https://github.com/lippytm/Time-Machines-Builders-/security/advisories/new

When reporting a vulnerability, please include:

• Type of vulnerability (e.g., SQL injection, XSS, secret exposure)
• Affected component (workflow, integration, documentation)
• Impact assessment (what could an attacker do?)
• Steps to reproduce
• Proof of concept (if applicable)
• Suggested remediation (if you have ideas)

We aim to respond to security vulnerabilities according to the following Service Level Agreement (SLA):

• Initial Response: Within 48 hours of report
• Status Update: Within 7 days of report
• Fix Timeline: Depends on severity (best effort)
  • Critical: Within 7 days
  • High: Within 14 days
  • Medium: Within 30 days
  • Low: Next release cycle

Note: These timelines are best-effort targets. Actual resolution time may vary depending on complexity, resources, and impact assessment.

This repository uses multiple automated security tools:

1. CodeQL Analysis

   • Runs on every push and PR
   • Scans for common vulnerabilities
   • Results available in Security tab

2. Trivy Vulnerability Scanner

   • Scans for security issues in files
   • Checks for misconfigurations
   • Reports in SARIF format

3. Dependency Review

   • Analyzes dependency changes in PRs
   • Flags vulnerable dependencies
   • Provides remediation suggestions

4. Secret Scanning

   • GitHub's built-in secret detection
   • Prevents accidental token commits
   • Alerts on exposed secrets

1. Never commit secrets

   • Use environment variables
   • Use GitHub Secrets
   • Review .gitignore

2. Review workflow permissions

   • Use minimum required permissions
   • Avoid write-all permissions
   • Document permission needs

3. Validate external inputs

   • Sanitize user inputs
   • Validate webhook payloads
   • Check API responses

4. Keep dependencies updated

   • Regular dependency updates
   • Review security advisories
   • Test updates thoroughly

1. Review security scan results

   • Check CodeQL alerts weekly
   • Address Trivy findings
   • Investigate dependency alerts

2. Manage access carefully

   • Use branch protection rules
   • Require PR reviews
   • Enable required status checks

3. Rotate secrets regularly

   • Update API tokens quarterly
   • Revoke unused credentials
   • Monitor secret usage

4. Document security practices

   • Keep this policy updated
   • Document new integrations
   • Share security learnings

All workflows implement security best practices:

• Minimal Permissions: Each workflow has only required permissions
• Secret Management: Proper use of GitHub Secrets
• Input Validation: Validation of workflow inputs and triggers
• Error Handling: Secure error messages without sensitive data

External integrations follow security guidelines:

• API Authentication: Secure token-based authentication
• HTTPS Only: All external communications use HTTPS
• Webhook Validation: Validate webhook signatures
• Rate Limiting: Implement rate limiting where applicable

• Branch Protection: Main and develop branches are protected with the following rules:
  • Require pull request reviews before merging
  • Require status checks to pass before merging
  • Require conversation resolution before merging
  • Require linear history
  • Do not allow bypassing the above settings
• Required Reviews: PRs require at least one approval
• Status Checks: Required CI checks must pass (lint-test, CodeQL, dependency-review)
• Signed Commits: Recommended for maintainers

Note: Contributors should target the develop branch for new features and bug fixes. The main branch is reserved for production-ready code.

When a vulnerability is fixed:

1. Security Advisory Published

   • Detailed description of the issue
   • Affected versions
   • Remediation steps
   • Credits to reporter

2. Release Notes Updated

   • Security fixes highlighted
   • Upgrade instructions
   • Breaking changes noted

3. Notification Sent

   • GitHub Security Advisories
   • Repository watchers notified
   • Related projects informed

• CodeQL - Semantic code analysis
• Trivy - Vulnerability scanner
• Dependabot - Dependency updates
• GitHub Secret Scanning - Secret detection

• GitHub Security Best Practices
• OWASP Top 10
• CWE Common Weakness Enumeration

We appreciate the security research community and will acknowledge reporters in:

• Security advisories
• Release notes
• Hall of Fame (if implemented)

For security-related questions that are not vulnerabilities:

• Open a Discussion in the Security category
• Contact maintainers via GitHub
• Review existing security documentation

Thank you for helping keep Time-Machines-Builders secure! 🔒