If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Email security concerns to the maintainer (check repository owner's profile for contact)
- Or use GitHub's private vulnerability reporting if enabled
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix timeline: Depends on severity and complexity
Security updates are provided for:
- Latest major version
- Previous major version (for 6 months after new major release)
When using this project:
- Keep dependencies up to date
- Use secrets management for sensitive data (never commit secrets)
- Follow the principle of least privilege
- Enable Dependabot security updates
- Review and audit third-party dependencies
- Vulnerabilities will be disclosed after a fix is available
- Credit will be given to reporters (unless anonymity is requested)
- CVE IDs will be requested for significant vulnerabilities