We are committed to maintaining the security of Fortify Schema. The following versions are currently supported with security updates:
| Version | Supported | Status |
|---|---|---|
| 2.1.x | ✅ | Current stable (2.1.2) |
| 2.0.x | ✅ | LTS support |
| 1.x.x | ❌ | End of life |
| < 1.0 | ❌ | End of life |
Note: As Fortify Schema is actively developed, we maintain support for the current minor version series (2.1.x) and the most recent major version (2.0.x) for long-term support. The current stable release is 2.1.2.
Fortify Schema incorporates several built-in security measures:
- Secure Regex Patterns: All string operations use secure regex patterns instead of potentially vulnerable methods
- Input Sanitization: Automatic validation prevents common injection attacks
- Type Safety: Runtime validation ensures data integrity and prevents type confusion attacks
- Depth Limiting: Built-in protection against deeply nested objects (default limit: 500 levels, configurable)
- Memory Safety: Optimized validation paths prevent memory exhaustion attacks
We take security vulnerabilities seriously. If you discover a security vulnerability in Fortify Schema, please follow these steps:
- Email: Send details to
fortifyschema@gmail.com - GitHub: For non-critical issues, you may also use GitHub Security Advisories
Please include the following information in your report:
- Description: Clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact Assessment: Potential security impact and affected components
- Proof of Concept: Code example demonstrating the vulnerability (if applicable)
- Suggested Fix: If you have ideas for remediation (optional)
- Environment: Fortify Schema version, Node.js version, TypeScript version
- Initial Response: Within 48 hours of report submission
- Vulnerability Assessment: Within 5 business days
- Fix Development: Within 14 days for critical issues, 30 days for moderate issues
- Release Schedule: Security patches are released as soon as possible after validation
If the vulnerability is accepted:
- We will acknowledge the issue and provide a timeline for resolution
- We will work on a fix and coordinate disclosure with you
- Credit will be given to the reporter (unless anonymity is requested)
- A security advisory will be published after the fix is released
If the vulnerability is declined:
- We will provide a clear explanation of why the issue doesn't qualify as a security vulnerability
- We may suggest alternative approaches or clarifications
- You are welcome to discuss the decision or provide additional information
When using Fortify Schema in production:
- Keep Updated: Always use the latest stable version
- Validate Depth: Configure appropriate depth limits for nested objects
- Monitor Performance: Watch for unusual validation patterns that might indicate attacks
- Sanitize Inputs: Use Fortify Schema as part of a comprehensive input validation strategy
- Error Handling: Implement proper error handling to prevent information leakage
We follow responsible disclosure practices:
- Security vulnerabilities are not publicly disclosed until fixes are available
- We coordinate with security researchers to ensure proper timeline and communication
- We maintain transparency about security issues through our security advisories
- We provide migration guides when security fixes require breaking changes
For security-related questions or concerns:
- Security Team:
support@nehonix.com - General Issues: GitHub Issues
- Community Discussion: GitHub Discussions
Last Updated: July 2025
Policy Version: 1.0