We actively support the following versions of bretrics with security updates:

We take the security of bretrics seriously. If you discover a security vulnerability, please follow these steps:

1. DO NOT open a public GitHub issue for security vulnerabilities
2. Send a detailed report to the repository maintainer via:
   • GitHub Security Advisory: Report a vulnerability
   • Email: Create an issue in the issue tracker marked as Security (if no sensitive details need to be shared)

Please provide the following information in your report:

• Description: A clear description of the vulnerability
• Impact: What could an attacker accomplish by exploiting this vulnerability
• Reproduction: Step-by-step instructions to reproduce the issue
• Version: The version of bretrics affected
• Environment: Relevant environment details (Node.js version, Browser, etc.)
• Suggested Fix (optional): If you have ideas on how to fix the vulnerability

• Initial Response: Within 48 hours of receiving the report
• Status Update: Within 7 days with either a fix timeline or request for more information
• Resolution: Security patches will be released as soon as possible, typically within 14 days for critical issues

1. The vulnerability is confirmed and assessed
2. A fix is developed and tested
3. A security advisory is prepared
4. A new version is released with the fix
5. The security advisory is published with CVE (if applicable)

When using bretrics:

• Always use the latest stable version
• Regularly update dependencies using npm update or npm audit fix
• Review the CHANGELOG for security-related updates
• Use npm audit to check for known vulnerabilities in dependencies

• Follow secure coding practices
• Run npm audit before submitting pull requests
• Never commit sensitive information (API keys, passwords, tokens)
• Test changes thoroughly with various configurations

This package relies on web-vitals and related dependencies. We:

• Monitor security advisories for all dependencies
• Update dependencies promptly when security issues are discovered
• Use npm audit in our CI/CD pipeline
• Follow semantic versioning to ensure stable updates

As a browser monitoring library, bretrics:

• Collects performance metrics - all data is anonymized and aggregated
• Sends data to configured endpoint - ensure endpoint is secure (HTTPS)
• Runs in browser context - follows CSP and CORS security policies
• Does not collect sensitive user data - only performance metrics

However, always ensure you:

• Install packages from official npm registry
• Verify package integrity using npm audit
• Use HTTPS for metrics endpoint
• Review what metrics are being collected

When a security vulnerability is fixed:

1. We will credit the reporter (unless they wish to remain anonymous)
2. Details will be disclosed after a fix is available
3. We will publish a security advisory on GitHub
4. The vulnerability will be documented in the CHANGELOG

For any security-related questions or concerns, please:

• Open a GitHub Security Advisory
• Create an issue at: https://github.com/MobileTeleSystems/bretrics-web/issues

Thank you for helping keep bretrics and its users safe!