We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
If you believe you have found a security vulnerability in Canvas LMS Kit, please report it to us through coordinated disclosure.
Please report security vulnerabilities to: security@canvas-lms-kit.dev or jjuanrivvera@gmail.com
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
- Initial Response: We will acknowledge receipt of your vulnerability report within 48 hours.
- Assessment: We will confirm the vulnerability and determine its impact within 7 days.
- Fix Development: We will develop and test a fix based on the severity:
- Critical: Within 7 days
- High: Within 14 days
- Medium: Within 30 days
- Low: Within 60 days
- Release: We will release the fix and publicly disclose the vulnerability after ensuring users have had adequate time to update.
We prefer all communications to be in English.
We follow the principle of Coordinated Vulnerability Disclosure. We kindly ask security researchers to:
- Allow us reasonable time to address the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Only interact with accounts you own or with explicit permission of the account holder.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If you have suggestions on how this process could be improved, please submit a pull request or open an issue to discuss.