|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +The following versions of **@rbac/rbac** receive security updates and fixes. Only actively maintained releases will be patched in the event of a confirmed security issue. |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | --------- | |
| 9 | +| 2.1.x | yes | |
| 10 | +| 2.0.x | limited | |
| 11 | +| < 2.0 | no | |
| 12 | + |
| 13 | +- **2.1.x** is the current latest release on npm and is actively published. :contentReference[oaicite:1]{index=1} |
| 14 | +- **2.0.x** is an older release but may receive critical fixes at maintainers’ discretion. :contentReference[oaicite:2]{index=2} |
| 15 | +- Versions **below 2.0** are no longer maintained and are not eligible for security backports. :contentReference[oaicite:3]{index=3} |
| 16 | + |
| 17 | +## Reporting a Vulnerability |
| 18 | + |
| 19 | +We take security issues seriously and encourage responsible disclosure. If you believe you have found a security vulnerability in this project, please follow the process below: |
| 20 | + |
| 21 | +### How to Report |
| 22 | + |
| 23 | +1. **Create a GitHub Issue with the `security` label** in the repository: |
| 24 | + https://github.com/phellipeandrade/rbac/issues |
| 25 | +2. In the issue, include: |
| 26 | + - A clear description of the issue. |
| 27 | + - Steps to reproduce the issue. |
| 28 | + - Minimal reproduction code if applicable. |
| 29 | + - Affected version(s) (as specified in Supported Versions). |
| 30 | + |
| 31 | +### What to Expect |
| 32 | + |
| 33 | +- You will receive an acknowledgement of your report within **5 business days**. |
| 34 | +- A core maintainer will evaluate the report and may request additional details. |
| 35 | +- If the issue is confirmed, the maintainers will: |
| 36 | + - Coordinate a fix. |
| 37 | + - Publish a patched release for supported versions. |
| 38 | + - Update this policy if needed. |
| 39 | +- You will be kept informed of progress via the GitHub issue. |
| 40 | + |
| 41 | +### Confidentiality |
| 42 | + |
| 43 | +Please **do not publish or disclose details publicly** until a fix is available and communicated by project maintainers. |
| 44 | + |
| 45 | +## Security Fix Backporting |
| 46 | + |
| 47 | +Security patches for confirmed vulnerabilities will be backported to supported versions when feasible. Unsupported versions will not receive patches. |
| 48 | + |
| 49 | +## Disclosure Timeline |
| 50 | + |
| 51 | +| Stage | Target Duration | |
| 52 | +| --------------------------- | ---------------------- | |
| 53 | +| Acknowledgement of report | ≤ 5 business days | |
| 54 | +| Initial triage | ≤ 10 business days | |
| 55 | +| Fix coordination & release | Varies by severity | |
| 56 | + |
| 57 | +## Contact |
| 58 | + |
| 59 | +For security reports and coordination, open an issue with the `security` label on the repository: |
| 60 | +https://github.com/phellipeandrade/rbac/issues |
0 commit comments