We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Please report (suspected) security vulnerabilities to the repository maintainers. You will receive a response within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity.
Please do not report security vulnerabilities through public GitHub issues.
When reporting a security issue, please include:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
When using AegisPay in production:
- Never store sensitive payment data: Card numbers, CVV should never be persisted
- Use environment variables: Store API keys and secrets in environment variables
- Enable webhook signature verification: Always verify webhook signatures from payment gateways
- Implement rate limiting: Protect your payment endpoints from abuse
- Use HTTPS: Always use encrypted connections for payment data
- Keep dependencies updated: Regularly update dependencies to get security patches
- Enable audit logging: Track all payment operations for security monitoring
- Implement idempotency: Use idempotency keys to prevent duplicate charges
- Validate input: Always validate and sanitize payment method data
- Use distributed locking: Prevent race conditions in payment processing
When we receive a security bug report, we will:
- Confirm the problem and determine the affected versions
- Audit code to find any potential similar problems
- Prepare fixes for all supported releases
- Release new security fix versions as soon as possible
If you have suggestions on how this process could be improved, please submit a pull request.