The following versions of New Grad Jobs are currently receiving security updates:

Please do NOT open a public GitHub Issue for security vulnerabilities.

Opening a public issue exposes the vulnerability to all users — including malicious actors — before a patch is available.

1. Email the maintainer directly at: contact@riteshrana.engineer
2. Use the subject line: [SECURITY] New Grad Jobs - <brief description>
3. Include the following in your report:
   • A description of the vulnerability and its potential impact
   • Steps to reproduce the issue
   • Any proof-of-concept code or screenshots
   • The version(s) affected
   • Your suggested fix (if you have one)

We will keep you informed throughout the process and, with your permission, will credit you in the security advisory upon public disclosure.

The following are in scope for security reports:

• GitHub Actions workflows: Secrets exposure, workflow injection, supply-chain attacks
• Python scraper (scripts/update_jobs.py): Arbitrary code execution, SSRF, credential leakage
• Dependency vulnerabilities: Known CVEs in requirements.txt dependencies
• GitHub Pages frontend (docs/): XSS, content injection, open redirects
• config.yml: Configurations that could enable malicious scraping behavior

The following are out of scope:

• Vulnerabilities in third-party job boards (Greenhouse, Lever, etc.) — report to those vendors
• Rate-limiting or IP banning by scraped sites (expected operational behavior)
• Social engineering attacks

When contributing to this project, please observe the following:

• Never hardcode credentials, tokens, or API keys — use GitHub Secrets and environment variables
• Validate all external data — data from scraped APIs should be treated as untrusted
• Pin dependency versions — use exact versions in requirements.txt to prevent supply-chain attacks
• Review GitHub Actions permissions — workflows should request the minimum permissions required

Thank you for helping keep New Grad Jobs and its users safe.