|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +This section tells users which versions of this project are currently supported with security updates. |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | ------------------ | |
| 9 | +| 5.1.x | ✅ | |
| 10 | +| 5.0.x | ❌ | |
| 11 | +| 4.0.x | ✅ | |
| 12 | +| < 4.0 | ❌ | |
| 13 | + |
| 14 | +--- |
| 15 | + |
| 16 | +## Reporting a Vulnerability |
| 17 | + |
| 18 | +If you discover a security vulnerability, please report it **responsibly**. We take security seriously and aim to respond promptly. |
| 19 | + |
| 20 | +### How to Report |
| 21 | + |
| 22 | +1. **Preferred:** Use GitHub’s security advisory system. |
| 23 | + - Go to the **Security** tab → **Report a vulnerability**. |
| 24 | + - Include: |
| 25 | + - Description of the vulnerability |
| 26 | + - Steps to reproduce (if applicable) |
| 27 | + - Potential impact |
| 28 | + |
| 29 | +2. **Alternative:** Email directly to: rogermodu@gmail.com |
| 30 | + - Subject: `[Security] <brief description>` |
| 31 | + - Attach proof-of-concept or reproduction steps if possible |
| 32 | + |
| 33 | +**Do not** create a public GitHub issue for security vulnerabilities. This helps prevent exposing sensitive information before a fix is released. |
| 34 | + |
| 35 | +--- |
| 36 | + |
| 37 | +### Response Timeline |
| 38 | + |
| 39 | +- **Acknowledgment:** Within 48 hours of reporting |
| 40 | +- **Investigation & Updates:** Updates provided within 1 week |
| 41 | +- **Fix Release:** As soon as possible, depending on severity |
| 42 | + |
| 43 | +--- |
| 44 | + |
| 45 | +### Severity Classification |
| 46 | + |
| 47 | +- **Critical:** Exploitable vulnerability causing data loss, remote code execution, or system compromise |
| 48 | +- **High:** Vulnerability that can cause significant impact but requires user action |
| 49 | +- **Medium:** Vulnerability with moderate impact |
| 50 | +- **Low:** Minor issues or informational findings |
| 51 | + |
| 52 | +We prioritize fixes based on severity. |
| 53 | + |
| 54 | +--- |
| 55 | + |
| 56 | +### Security Practices |
| 57 | + |
| 58 | +- Keep dependencies updated (Dependabot recommended) |
| 59 | +- Use automated code scanning tools (e.g., GitHub CodeQL) |
| 60 | +- Secret scanning is enabled to prevent sensitive data leaks |
| 61 | + |
| 62 | +--- |
| 63 | + |
| 64 | +### Thank You to Reporters |
| 65 | + |
| 66 | +We sincerely appreciate anyone who responsibly reports a security issue. Your contribution helps **keep this project safe, reliable, and useful** for everyone. |
| 67 | + |
| 68 | +--- |
| 69 | + |
| 70 | +### Disclaimer |
| 71 | + |
| 72 | +These tools are provided as-is for learning and productivity. Users should review code before using it in production. Security reports help improve safety, but users are responsible for their own implementations. |
0 commit comments