| Version | Supported |
|---|---|
| 1.0.x | ✅ |
We take security seriously. If you discover a security vulnerability, please follow these steps:
- Do NOT open a public GitHub issue for security vulnerabilities
- Email the maintainer directly with details of the vulnerability
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Timeline: Depends on severity
- Critical: 24-48 hours
- High: 7 days
- Medium: 30 days
- Low: 90 days
- Keep dependencies updated: Run
pip install --upgrade -r requirements.txtregularly - Use virtual environments: Isolate project dependencies
- Validate input images: Only process product images from trusted sources
- Review file permissions: Ensure output directories have appropriate access controls
- Secure Google Drive integration: Use appropriate OAuth scopes
This project includes:
- Dependabot: Automated security updates for dependencies
- CodeQL: Static analysis for vulnerability detection
- Pre-commit hooks: Security checks before commits (detect-private-key)
- Validate image file headers before processing
- Limit maximum video duration to prevent resource exhaustion
- Sanitize file paths to prevent directory traversal
- Use secure temporary file handling for video frames
- Use OAuth 2.0 with minimal required scopes
- Store OAuth tokens securely
- Never commit credentials.json to version control
- Revoke access when no longer needed
We appreciate responsible disclosure and will acknowledge security researchers who help improve this project's security.