Skip to content

Security: DedrisLab/DedrisFramework

Security

SECURITY.md

Security Policy

DedrisFramework is a young open source project. The project currently ships static CSS, browser JavaScript, Cordova starter templates, and documentation; it does not run a hosted backend or collect user data by itself.

Supported Versions

Security fixes are prepared for the latest code on the default branch until the first stable release policy is published.

Version Status
0.1.x Supported for best-effort security fixes
Earlier snapshots Not supported

Reporting a Vulnerability

Please do not open a public issue for a suspected vulnerability.

Report privately by emailing security@dedrisframework.com with:

  • a short description of the issue,
  • affected files, APIs, templates, or plugin recommendations,
  • reproduction steps or a minimal example,
  • the expected impact,
  • whether the issue is already public.

If that address is unavailable, contact a project maintainer through the repository owner profile and avoid posting exploit details publicly.

Response Expectations

The maintainers aim to acknowledge valid reports within 7 days. For accepted reports, the expected flow is:

  1. Confirm the affected version, template, or documentation path.
  2. Prepare a fix or mitigation on a private branch when practical.
  3. Release the fix and publish notes that credit the reporter when desired.
  4. Publicly document the issue after users have a reasonable update path.

Because this is a volunteer project, timelines are best effort. Critical issues that expose credentials, enable script execution in generated apps, or recommend unsafe Cordova plugin usage receive priority.

Project Security Boundaries

DedrisFramework does not control the runtime behavior of third-party Cordova plugins, native SDKs, app backends, app store accounts, or developer signing keys. App authors are responsible for:

  • reviewing Cordova plugin permissions and maintenance status,
  • validating privacy disclosures for camera, location, contacts, files, notifications, sensors, and background execution,
  • keeping Android, iOS, Cordova, and plugin dependencies updated,
  • storing secrets outside this repository and outside client-side app bundles,
  • applying platform security controls such as CSP, HTTPS-only APIs, secure storage, and least-privilege permissions.

Non-Security Issues

General bugs, accessibility problems, documentation gaps, and plugin health updates can be reported through normal project issues or pull requests.

There aren't any published security advisories