We release patches for security vulnerabilities in the following versions:

We take the security of our software seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please email us at [email protected].

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the following information in your report:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

This information will help us triage your report more quickly.

After you submit a report, we will:

1. Acknowledge your email within 48 hours
2. Investigate the issue and confirm the vulnerability
3. Keep you informed of our progress toward a fix
4. Release a security patch as appropriate
5. Credit you in our release notes (if you wish to be named)

If you're contributing to this project, please follow these security guidelines:

• All code changes must go through Pull Requests
• PRs require approval from at least one maintainer before merging
• No direct commits to main or protected branches

• Keep dependencies up to date
• Review dependency changes for known vulnerabilities
• Use automated tools like Dependabot to monitor security issues

• Never commit credentials, API keys, tokens, or other secrets
• Use environment variables or secure secret management systems
• Review commits for accidentally included secrets before pushing

• Follow OWASP Top 10 best practices
• Validate and sanitize all user inputs
• Use parameterized queries to prevent SQL injection
• Implement proper authentication and authorization
• Use HTTPS/TLS for all network communications

This project includes the following security measures:

• Dependabot alerts enabled for vulnerable dependencies
• Secret scanning enabled to prevent credential leaks
• Code review required for all changes
• Branch protection rules enforced on main branches

We follow a coordinated disclosure approach:

1. Security issues are privately investigated and patched
2. A security advisory is prepared but not published
3. We notify relevant parties (e.g., major users, downstream projects)
4. A patch release is made available
5. The security advisory is published after users have had time to update

We aim to complete this process within 90 days of the initial report, though complex issues may take longer.

Security updates are released as:

• Patch versions (x.x.X) for currently supported versions
• Security advisories published on our GitHub Security Advisories page
• Release notes clearly marking security-related changes

• OWASP Top 10
• CWE Top 25 Most Dangerous Software Weaknesses
• GitHub Security Best Practices

For general security questions or concerns, please contact:

• Email: [email protected]

Last Updated: 14 November 2025 Version: 1.0

This security policy is maintained by the repository maintainers and reviewed regularly.