We actively support security updates for the following versions:
| Version | Supported |
|---|---|
| 2.x.x | β Fully supported |
| 1.9.x | β Security fixes only |
| 1.8.x | β Security fixes only |
| < 1.8 | β No longer supported |
Note: We recommend always using the latest stable version for the best security posture.
Please DO NOT open a public GitHub issue for security vulnerabilities.
Security vulnerabilities should be reported privately to ensure they can be addressed before being publicly disclosed.
Primary Contact: princelv84@gmail.com
Alternative Methods:
- GitHub Security Advisories: Create a private security advisory
- Encrypted Email: PGP Key (if available)
When reporting a vulnerability, please include:
-
π― Vulnerability Type
- Classification (e.g., XSS, SQL Injection, RCE)
- CVSS score estimate (if known)
-
π Affected Components
- Specific files, functions, or endpoints
- Version(s) affected
- Platform/environment details
-
π Detailed Description
- Step-by-step reproduction instructions
- Proof of concept (PoC) code or screenshots
- Potential impact assessment
-
π‘ Suggested Fix (optional)
- Proposed solution or mitigation
- References to best practices
Subject: [SECURITY] Brief description of vulnerability
**Vulnerability Type**:
**Severity**: Critical/High/Medium/Low
**Affected Version(s)**:
**Environment**:
**Description**:
[Detailed description]
**Steps to Reproduce**:
1.
2.
3.
**Expected vs Actual Behavior**:
- Expected:
- Actual:
**Impact**:
[Describe potential impact]
**Proof of Concept**:
[Code, screenshots, or video demonstration]
**Suggested Mitigation**:
[If you have suggestions]
**Additional Context**:
[Any other relevant information]
| Stage | Timeline | Description |
|---|---|---|
| Initial Response | β€ 48 hours | Acknowledgment of report receipt |
| Triage | β€ 72 hours | Initial assessment and severity classification |
| Investigation | 1-2 weeks | Detailed analysis and reproduction |
| Fix Development | 2-4 weeks | Patch development and testing |
| Disclosure | 30-90 days | Coordinated public disclosure |
Note: Timeline may vary based on complexity and severity. Critical vulnerabilities receive expedited handling.
- Authentication and authorization flaws
- Data validation and injection vulnerabilities
- Cryptographic weaknesses
- Business logic errors with security impact
- Dependencies with known vulnerabilities
- Configuration and deployment security issues
- Social engineering attacks
- Physical security issues
- Third-party service vulnerabilities (unless directly integrated)
- Issues requiring extensive user interaction or unlikely scenarios
- Vulnerabilities in unsupported versions
- Issues requiring root/admin access to exploit
We maintain a list of security researchers who have responsibly disclosed vulnerabilities:
No reports received yet - be the first!
- Public acknowledgment in release notes
- Addition to our security researchers list
- LinkedIn recommendation (upon request)
- Swag/merchandise (where applicable)
Note: We currently don't offer monetary rewards but deeply appreciate responsible disclosure.
- Code Review: All code changes require review before merging
- Dependency Scanning: Regular updates and vulnerability scanning
- Static Analysis: Automated security testing in CI/CD
- Secrets Management: Never commit sensitive data
- Keep Updated: Always use the latest supported version
- Secure Configuration: Follow our security configuration guide
- Report Issues: Report any suspicious behavior immediately
- Monitor Advisories: Subscribe to security updates
- Security Configuration Guide (link to your docs)
- Deployment Security Checklist (link to your docs)
- Incident Response Plan (internal)
-----BEGIN PGP PUBLIC KEY BLOCK-----
[Your PGP public key here if available]
-----END PGP PUBLIC KEY BLOCK-----
By reporting a security vulnerability, you agree to:
- Act in good faith and avoid privacy violations or data destruction
- Not disclose the vulnerability publicly until we've had a chance to address it
- Not exploit the vulnerability beyond demonstrating the issue
- Comply with all applicable laws and regulations
We commit to:
- Investigate all legitimate reports
- Keep you informed throughout the process
- Credit you appropriately (unless you prefer to remain anonymous)
- Not pursue legal action for good faith security research
For critical security issues requiring immediate attention:
- Email: princelv84@gmail.com (Subject: URGENT SECURITY)
- Expected Response: Within 24 hours
Last Updated: September 2025 Next Review: December 2025