|
| 1 | + |
| 2 | + |
| 3 | +# Security Policy |
| 4 | + |
| 5 | +## Supported Versions |
| 6 | + |
| 7 | +The following versions of `streamlit-launcher` are currently supported with security updates. Versions not listed as supported will not receive fixes, even for critical vulnerabilities. |
| 8 | + |
| 9 | +| Version | Supported | |
| 10 | +| ------- | ------------------ | |
| 11 | +| 5.1.x | ✅ | |
| 12 | +| 5.0.x | ❌ (End of Support) | |
| 13 | +| 4.0.x | ✅ | |
| 14 | +| < 4.0 | ❌ | |
| 15 | + |
| 16 | +Support generally follows a rolling release policy: only active major versions and the latest minor release branch receive security patches. |
| 17 | + |
| 18 | +--- |
| 19 | + |
| 20 | +## Reporting a Vulnerability |
| 21 | + |
| 22 | +We take the security of `streamlit-launcher` seriously. If you discover a bug or security vulnerability, we kindly request that you report it responsibly. |
| 23 | + |
| 24 | +### How to Report |
| 25 | + |
| 26 | +To report a vulnerability, please contact us through one of the following secure channels: |
| 27 | + |
| 28 | +* **Email: ** `[email protected]` *(placeholder, ubah sesuai email kamu) * |
| 29 | +* **GitHub Security Advisory:** Use the **"Report a vulnerability"** feature on GitHub (preferred) |
| 30 | + |
| 31 | +Please include the following information: |
| 32 | + |
| 33 | +1. Description of the vulnerability |
| 34 | +2. Steps to reproduce |
| 35 | +3. Potential impact |
| 36 | +4. Suggested fixes (if any) |
| 37 | +5. Your contact information for follow-up |
| 38 | + |
| 39 | +Avoid publicly disclosing the issue before coordinating with us. Publicly posting vulnerabilities before a fix is issued may put users at risk. |
| 40 | + |
| 41 | +### Responsible Disclosure Process |
| 42 | + |
| 43 | +Once a report is submitted: |
| 44 | + |
| 45 | +| Step | Timeline | Description | |
| 46 | +| ------------------- | -------------------------- | --------------------------------------------------------------------------------------- | |
| 47 | +| Acknowledge report | within **72 hours** | We confirm receipt and begin initial assessment | |
| 48 | +| Initial assessment | within **5 business days** | Determine severity and plan remediation | |
| 49 | +| Security fix issued | depends on severity | Critical fixes may be released immediately; other patches follow standard release cycle | |
| 50 | +| Public advisory | after patch release | A security advisory will be published with credit to the reporter (if desired) | |
| 51 | + |
| 52 | +For critical vulnerabilities that affect many users, we may coordinate a private patch release before publishing public details. |
| 53 | + |
| 54 | +--- |
| 55 | + |
| 56 | +### Vulnerability Acceptance / Rejection |
| 57 | + |
| 58 | +We may decline reports that: |
| 59 | + |
| 60 | +* Are out of project scope (e.g., issues in third-party dependencies) |
| 61 | +* Rely on unrealistic or contrived attack vectors |
| 62 | +* Represent expected behavior (not bugs) |
| 63 | +* Duplicate reports already submitted by others |
| 64 | + |
| 65 | +In the case of a declined report, we will provide a justification. |
| 66 | + |
| 67 | +### Scope of Responsibility |
| 68 | + |
| 69 | +`streamlit-launcher` is a CLI and helper tool intended to simplify booting Streamlit applications. This project **does not take responsibility** for vulnerabilities in: |
| 70 | + |
| 71 | +* Applications launched using this tool |
| 72 | +* Streamlit framework or its internal security model |
| 73 | +* Deployed infrastructure or hosting environments |
| 74 | +* Third-party packages used by end-users |
| 75 | + |
| 76 | +Users are responsible for securing their Streamlit app and hosting environment. |
| 77 | + |
| 78 | +--- |
| 79 | + |
| 80 | +### Thanks and Acknowledgment |
| 81 | + |
| 82 | +We deeply appreciate the security community and responsible researchers who help keep `streamlit-launcher` safe for everyone. |
| 83 | +If you wish to be credited after a fix is released, please let us know. |
| 84 | + |
| 85 | +--- |
0 commit comments