We provide security updates for the following versions of Compose-Settings:

We take the security of Compose-Settings seriously. If you discover a security vulnerability, please follow these steps:

Please do not create a public GitHub issue for security vulnerabilities. Public disclosure could put users at risk.

Send an email to bernatbor15@gmail.com with the following information:

• Description: A clear description of the vulnerability
• Impact: What could an attacker do with this vulnerability?
• Reproduction: Step-by-step instructions to reproduce the issue
• Affected Versions: Which versions of the library are affected?
• Proposed Fix: If you have suggestions for fixing the issue (optional)
• Your Contact: How we can reach you for follow-up questions

You can expect:

• Initial Response: Within 48 hours acknowledging receipt
• Status Update: Within 7 days with our assessment and planned actions
• Resolution: We aim to release a fix within 30 days for critical vulnerabilities

We follow coordinated disclosure practices:

1. We'll work with you to understand and validate the issue
2. We'll develop and test a fix
3. We'll prepare a security advisory
4. We'll release the fix and publish the advisory
5. You'll be credited for the discovery (unless you prefer to remain anonymous)

When using Compose-Settings in your application:

If you're using settings components with user input, ensure you validate and sanitize data:

SettingsSwitch(
    state = userPreference,
    title = { Text(sanitizeInput(userTitle)) }, // Sanitize user-provided content
    onCheckedChange = { newValue ->
        // Validate before persisting
        if (isValidInput(newValue)) {
            savePreference(newValue)
        }
    }
)

• Don't store sensitive data (passwords, tokens) in SharedPreferences without encryption
• Use Android Keystore or platform-specific secure storage for sensitive information
• Be cautious with SettingsMenuLink onClick handlers that navigate to sensitive screens

• Keep Compose-Settings updated to the latest version
• Regularly update your Compose Multiplatform and Kotlin dependencies
• Monitor for security advisories in your dependency chain

This library is primarily a UI component library. It does not:

• Store or transmit data on its own
• Make network requests
• Access device permissions
• Perform cryptographic operations

Security is primarily the responsibility of the application using these components.

The library respects platform security models:

• Android: Follows Android's security guidelines
• iOS: Follows iOS security best practices
• Desktop: Runs with JVM security manager constraints
• Web: Operates within browser security sandbox

Security updates will be:

• Released as patch versions (e.g., 2.24.1)
• Documented in release notes
• Announced via GitHub Security Advisories
• Highlighted in the project README

If you have questions about security but haven't found a vulnerability, you can:

• Open a GitHub Discussion
• Email bernatbor15@gmail.com for sensitive questions

Thank you for helping keep Compose-Settings and its users safe!