# Security Policy ## Supported Versions This project provides security updates for the following versions: | Version | Supported | |---------|-----------| | 1.x | ✅ Yes | | 0.x | ❌ No | Only the latest major version receives security patches. Users are encouraged to upgrade to the latest version. ## Reporting a Vulnerability **Do not open public GitHub issues for security vulnerabilities.** Instead, please report security issues to the maintainers privately: ### Reporting Process 1. Email security details to the maintainers (see project README for contact) 2. Include: - Description of the vulnerability - Steps to reproduce (if possible) - Potential impact - Suggested fix (if you have one) 3. Expect acknowledgment within 48 hours 4. We will work on a fix and coordinate disclosure timing ### Responsible Disclosure - Allow reasonable time for a fix before public disclosure - Work with us to understand and validate the issue - Maintain confidentiality until the fix is released ## Security Best Practices ### For Users - Keep dependencies up to date - Use the latest version of this project - Review security advisories regularly - Report vulnerabilities responsibly ### For Contributors - Run `cargo audit` before submitting PRs - Use `cargo deny` to check license compliance - Follow secure coding practices - Don't hardcode secrets or credentials - Validate all external inputs ## Dependency Security We use automated tools to monitor dependencies: - **cargo-audit**: Scans for known security vulnerabilities - **cargo-deny**: Checks licenses and bans unsafe dependencies These run in CI on every push and PR. ## Code Review All code changes go through review before merging: - At least one maintainer review required - Security implications considered - Tests required for all changes - CI checks must pass ## Known Vulnerabilities We maintain transparency about known issues: - Documented in GitHub security advisories - Announced in release notes - Tracked in issues with `security` label ## Security Contact For security inquiries, please contact: - Email: [project maintainers] - Issue: Open a private security advisory on GitHub ## Changelog Security fixes are highlighted in CHANGELOG.md with [SECURITY] prefix. ## Resources - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - [CWE: Common Weakness Enumeration](https://cwe.mitre.org/) - [Rust Security](https://www.rust-lang.org/governance/security-disclosures) - [npm Security](https://docs.npmjs.com/about-npm/security) ## Questions? If you have security questions (not vulnerabilities), open a discussion or issue with the `security` label.