We take the security of BarcodeGenerator seriously. This document outlines our security practices, supported versions, and how to report security vulnerabilities responsibly.
We actively maintain security updates for the following versions:
| Version | Supported | Status | End of Life |
|---|---|---|---|
| 2.1.x | β Current | π’ Active | TBD |
| 2.0.x | β LTS | π‘ Security Only | December 2025 |
| < 2.0 | β Unsupported | π΄ EOL | June 2024 |
- Current (2.1.x): Full feature updates and security patches
- LTS (2.0.x): Critical security patches only until EOL
- Unsupported (< 2.0): No security updates - please upgrade immediately
Found a security issue? We appreciate your responsible disclosure! π
- Email: Send details to security@[domain] (replace with actual email)
- Subject:
[SECURITY] BarcodeGenerator vulnerability report - Include: Detailed description, reproduction steps, and impact assessment
- Initial Response: Within 24-48 hours
- Status Updates: Every 3-5 business days
- Resolution: 30-90 days depending on severity
- π Description: Clear explanation of the vulnerability
- π Reproduction Steps: How to reproduce the issue
- π₯ Impact: Potential security implications
- π Environment: .NET version, OS, library version
- π PoC Code: Minimal proof-of-concept (if applicable)
We use the following severity levels to prioritize security issues:
| Severity | Description | Response Time |
|---|---|---|
| π΄ Critical | Remote code execution, privilege escalation | 24-48 hours |
| π High | Data exposure, authentication bypass | 3-5 days |
| π‘ Medium | Information disclosure, DoS attacks | 1-2 weeks |
| π’ Low | Minor security improvements | 2-4 weeks |
- π Investigation: We'll investigate and validate the report
- π Assessment: Determine severity and impact scope
- π§ Fix Development: Create and test security patches
- π’ Disclosure: Coordinate responsible disclosure timeline
- π Recognition: Credit reporter in security advisory (if desired)
- β Always validate input before passing to barcode encoding
- β Sanitize file paths when using export templating features
- β Keep dependencies updated including SkiaSharp
- β Use latest stable version for security patches
- β Never trust user input for file paths or options
- π Run security scans before submitting PRs
- π Follow secure coding guidelines in our contributing docs
- π§ͺ Test edge cases that could lead to security issues
- π Document security implications of new features
We actively monitor our dependencies for security vulnerabilities:
- SkiaSharp: Core graphics library - monitored via GitHub security advisories
- System.Memory/Buffers: Framework compatibility - follows Microsoft security updates
- PolySharp: Build-time only dependency - minimal runtime impact
- Day 0: Vulnerability reported
- Day 1-2: Initial triage and acknowledgment
- Day 3-30: Investigation and fix development
- Day 30-90: Testing, review, and coordinated disclosure
- Post-fix: Public advisory and CVE assignment (if applicable)
- Security advisories published on GitHub Security tab
- Release notes include security fix details
- CVE assignment for significant vulnerabilities
- Credit given to reporters (unless requested otherwise)
- General Security Questions: Create a GitHub Discussion
- Non-Security Bugs: Use our Issue Tracker
- Security Concerns: Email security@[domain] directly
We appreciate the security research community's efforts to help keep BarcodeGenerator and its users safe. Responsible disclosure helps us protect our users while giving us time to develop and test proper fixes.
Together, we can build a more secure ecosystem! π
Last updated: August 2025