| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
- Automated scanning with GitHub CodeQL
- Dependabot alerts and updates
- Protected main branch
- Required code reviews
- Regular dependency audits
- SAST and SCA scanning
- Secure development practices
- Private Reporting: Use GitHub's private vulnerability reporting
- Response Time: Initial response within 48 hours
- Process:
- Acknowledgment
- Investigation
- Fix development
- Security advisory publication
- Public disclosure
- Use secure dependency versions
- Implement input validation
- Follow OWASP guidelines
- No hardcoded secrets
- Validate file operations
- Keep dependencies updated
- Use environment variables
- Set appropriate file permissions
- Follow least privilege principle
- Enable 2FA for GitHub access
- Token-based authentication
- Secure token storage
- Environment variable usage
- No sensitive data in logs
- Secure file operations
- Input sanitization
Our security practices align with:
- OWASP Top 10
- CWE guidelines
- NIST standards