Use this section to tell people about which versions of your project are currently being supported with security updates.
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
To report a security vulnerability, please use one of the following methods:
- Navigate to the Security tab of this repository
- Click on "Report a vulnerability"
- Fill out the form with details about the vulnerability
- Submit the report
Send an email to roku674@gmail.com with:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
- Initial Response: Within 48 hours, we will acknowledge receipt of your vulnerability report
- Assessment: Within 5 business days, we will provide an initial assessment of the vulnerability
- Resolution: We aim to resolve critical vulnerabilities within 30 days and non-critical vulnerabilities within 90 days
- Disclosure: Once a fix is available, we will coordinate disclosure with you
When a security vulnerability is fixed:
- The fix will be released as soon as possible
- Release notes will include a security advisory
- The vulnerability will be assigned a CVE if applicable
- Credit will be given to the reporter (unless anonymity is requested)
When using this copyright checking tool:
- Always run the tool in a secure environment
- Ensure file permissions are properly set
- Review the copyright patterns before applying them
- Keep the tool updated to the latest version
- Monitor GitHub Actions logs for any suspicious activity
The following are within scope for security reports:
- Code execution vulnerabilities
- Authentication bypasses
- Information disclosure
- Denial of service vulnerabilities
- Injection vulnerabilities
- Logic errors leading to security issues
The following are out of scope:
- Social engineering attacks
- Physical attacks
- Attacks requiring physical access to a user's device
- Denial of service attacks via resource exhaustion
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep our project and our users safe!