We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We take the security of our project seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
- Email: Send an email with details of the vulnerability to the repository maintainer
- GitHub Security Advisories: Use the "Security" tab in this repository to privately report a vulnerability
Please include the following information in your report:
- Type of vulnerability (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the vulnerability
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
After submitting a vulnerability report, you can expect:
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 72 hours
- Assessment: We will assess the vulnerability and determine its severity and impact
- Updates: We will keep you informed about our progress toward a fix and announcement
- Resolution: We will notify you when the vulnerability has been fixed
- Credit: If you wish, we will publicly acknowledge your responsible disclosure
- Security issues should be disclosed responsibly
- We request that you give us reasonable time to investigate and mitigate the issue before public disclosure
- We will coordinate with you on the timing of public disclosure
When using code or configurations from this repository:
- Keep Dependencies Updated: Regularly update all dependencies to their latest secure versions
- Review Code: Carefully review any code before implementing it in production environments
- Test in Non-Production: Always test scripts and configurations in non-production environments first
- Secure Credentials: Never commit sensitive information (passwords, API keys, tokens) to the repository
- Access Control: Implement proper access controls and principle of least privilege
- Audit Logs: Enable and monitor audit logging where applicable
- Backup: Maintain regular backups before making configuration changes
Security updates will be released as needed and announced through:
- GitHub Security Advisories
- Repository releases with security tags
- Updates to this SECURITY.md file
This security policy applies to:
- All code in this repository
- All documentation and configuration examples
- All released versions and branches
For non-security-related issues, please use the standard GitHub issue tracker.
Thank you for helping keep this project and its users safe!