Document Metadata
- Author: Aiotize Security Team
- Version: 1.0.0
- Last Updated: 2025-10-16
- Status: Active
- Classification: Public
- Review Cycle: Quarterly
We take security seriously at Aiotize. The following table shows which versions of our projects are currently receiving security updates:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < 1.0 | ❌ |
DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities via:
- Email: security@aiotize.com (preferred)
- Private Security Advisory: Use GitHub's private vulnerability reporting feature
Please include the following information in your report:
- Type of vulnerability (e.g., XSS, SQLi, CSRF, etc.)
- Full path(s) of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability, including how an attacker might exploit it
- Acknowledgment: Within 48 hours of your report
- Initial Assessment: Within 5 business days
- Status Updates: Regular updates every 5 business days
- Resolution Timeline: Based on severity
- Critical: 1-7 days
- High: 7-30 days
- Medium: 30-90 days
- Low: 90+ days
- Never commit secrets (API keys, passwords, tokens)
- Use environment variables for sensitive configuration
- Keep dependencies updated to patch known vulnerabilities
- Follow secure coding guidelines specific to the project
- Enable 2FA on your GitHub account
- Keep software updated to the latest stable version
- Use strong authentication methods
- Review permissions granted to applications
- Report suspicious activity immediately
- Day 0: Vulnerability reported and acknowledged
- Day 1-5: Initial assessment and triage
- Day 5-30: Development of fix (depending on severity)
- Day 30-90: Coordinated disclosure (after fix is available)
- We follow responsible disclosure practices
- Security advisories will be published after fixes are available
- Credit will be given to reporters (unless anonymity is requested)
- Branch protection: Enabled on main branches
- Required reviews: All PRs require approval
- Signed commits: Encouraged for all contributors
- Dependency scanning: Automated vulnerability checks
- Secret scanning: Enabled to prevent credential leaks
- Access control: Role-based access (RBAC)
- Audit logging: All actions are logged
- Encryption: Data encrypted in transit and at rest
- Regular updates: Systems and dependencies kept current
Primary Contact: security@aiotize.com
Response Time: 48 hours maximum
PGP Key: Available upon request
We appreciate the security research community and acknowledge all researchers who responsibly disclose vulnerabilities.
Contributors who have helped improve our security will be listed here (with permission):
- List will be updated as vulnerabilities are responsibly disclosed and fixed
Document Control
- Next Review Date: 2026-01-16
- Approved By: Aiotize Security Team
- Version History: Available in Git history
Thank you for helping keep Aiotize secure! 🔒