|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +Thank you for your interest in improving the security of OpenFeign Querydsl. We are committed to addressing security issues responsibly and transparently. |
| 4 | + |
| 5 | +## Supported Versions |
| 6 | + |
| 7 | +We currently support the following versions of the project for security updates: |
| 8 | + |
| 9 | +| Version | Supported | |
| 10 | +|---------------|--------------------| |
| 11 | +| 6.x | ✅ | |
| 12 | +| 5.x and older | ❌ | |
| 13 | + |
| 14 | +If you're using an unsupported version, we recommend updating to the latest 6.x release. |
| 15 | + |
| 16 | +## Reporting a Vulnerability |
| 17 | + |
| 18 | +If you discover a security vulnerability, please follow these steps to report it responsibly: |
| 19 | + |
| 20 | +1. **Do not open a public issue**. Instead, report vulnerabilities through our [GitHub Security Advisories](https://github.com/OpenFeign/querydsl/security/advisories). |
| 21 | + - Navigate to the **Security** tab of the repository. |
| 22 | + - Click **Report a vulnerability**. |
| 23 | + - Provide as much detail as possible about the issue, including: |
| 24 | + - Steps to reproduce the vulnerability |
| 25 | + - Potential impact |
| 26 | + - Relevant logs, screenshots, or details |
| 27 | + - A proposed fix (if available) |
| 28 | + |
| 29 | +2. Once submitted, the report will remain private and will be visible only to the maintainers of this repository. |
| 30 | + |
| 31 | +3. Allow us a reasonable timeframe to investigate and address the issue before publicly disclosing any details. |
| 32 | + |
| 33 | +## Security Update Process |
| 34 | + |
| 35 | +- Upon receiving a vulnerability report, we will acknowledge receipt within **3 business days**. |
| 36 | +- Our team will assess and address the issue based on severity and impact. |
| 37 | +- Once resolved, we will release an updated version and disclose the issue in the release notes. |
| 38 | + |
| 39 | +## Scope of Vulnerabilities |
| 40 | + |
| 41 | +We are particularly interested in: |
| 42 | +- Remote code execution (RCE) |
| 43 | +- Unauthorized access or data exposure |
| 44 | +- Denial-of-service attacks |
| 45 | +- Code injection vulnerabilities |
| 46 | + |
| 47 | +We do **not** consider the following out-of-scope for this project: |
| 48 | +- Issues in dependencies (unless specific to this project's usage) |
| 49 | +- Security misconfigurations in end-user deployments |
| 50 | + |
| 51 | +## Contact Us |
| 52 | + |
| 53 | +If you have any questions about this security policy, feel free to open a discussion in the repository. |
| 54 | + |
| 55 | +Thank you for helping us make Querydsl more secure! |
0 commit comments