Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.1.x | ✅ |
| 1.0.x | ❌ |
| 0.9.x | ✅ |
| < 0.9 | ❌ |
We take the security of this project seriously. If you have discovered a security vulnerability in our project, please follow these steps to report it to us:
-
Do Not disclose the vulnerability publicly until it has been addressed by our team.
-
Please email us at [email protected] with the following details:
- A description of the vulnerability
- Steps to reproduce the issue
- Possible impacts of the vulnerability
- Any potential mitigations you've identified
-
You should receive an initial response to your report within 48 hours, acknowledging receipt of your vulnerability report.
-
Our security team will investigate the issue and keep you informed of the progress.
-
Once the issue is confirmed and resolved, we will notify you and discuss the process of public disclosure.
- We will respond to your initial email within 48 hours with confirmation of receipt.
- We will keep you informed about the progress of fixing the vulnerability.
- We will notify you when the vulnerability is fixed.
- We will publicly disclose the vulnerability after it has been fully resolved, giving credit to the reporter unless they wish to remain anonymous.
- The vulnerability will be disclosed publicly once a patch is ready, typically within 90 days of the initial report.
- If a fix is not possible within 90 days, we will inform you and provide regular updates on the progress.
- Security updates will be released as soon as possible once a vulnerability is confirmed and fixed.
- We will create a security advisory on our GitHub repository detailing the vulnerability and the versions affected.
- Users will be notified through our official channels (mailing list, blog, Twitter) about the security update.
At this time, we do not offer a paid bug bounty program. However, we deeply appreciate the efforts of security researchers and will publicly acknowledge your contribution (unless you prefer to remain anonymous).
- Always use HTTPS in production environments.
- Keep all dependencies up to date, especially those related to security.
- Use environment variables for sensitive information, never hard-code them.
We regularly review and update third-party libraries used in this project. If you discover a security vulnerability in one of our dependencies, please let us know so we can update it as quickly as possible.
Thank you for helping to keep this project and our users safe!