We actively maintain security updates for the following versions:
| Version | Supported |
|---|---|
| Latest | β Fully supported |
| < Latest | β Security updates on best-effort basis |
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report security issues by:
- Email: Send details to the project maintainers via GitHub
- Private Issue: Use GitHub's security advisory feature if available
- Direct Contact: Contact repository administrators directly
Please include the following information:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- CodeQL: Automated security scanning on all pull requests
- Dependency Scanning: Regular vulnerability detection
- License Compliance: Automated license validation
- Dependabot: Automated security updates
- Pin Dependencies: Critical dependencies pinned by hash
- Vulnerability Monitoring: Continuous monitoring of known CVEs
- Least Privilege: GitHub Actions use minimal required permissions
- Supply Chain Protection: All third-party actions pinned by commit hash
- Secure Workflows: No dangerous workflow patterns
- Container Security: Base images pinned to specific digests
- AWS IAM: Least privilege access controls
- Encryption: TLS 1.2+ for all communications
- Critical vulnerabilities: 24-48 hours
- High severity: 7 days
- Medium severity: 30 days
- Low severity: Next release cycle
This project undergoes regular security assessments:
- OpenSSF Scorecard: Monthly comprehensive security analysis
- Dependency Scanning: Weekly automated checks
- Static Analysis: On every pull request
- Security Reviews: Quarterly manual assessments
Security decisions follow these principles:
- Defense in Depth: Multiple layers of security controls
- Zero Trust: Verify all access and communications
- Least Privilege: Minimum required access permissions
- Continuous Monitoring: Real-time threat detection
- Incident Response: Documented response procedures
- OpenSSF Scorecard - Security health metrics
- NIST Cybersecurity Framework - Security guidelines
- OWASP Top 10 - Common vulnerabilities
For questions about this security policy, please contact the project maintainers.