61 lines (41 loc) · 1.77 KB

Security Policy

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability, please report it responsibly.

How to Report

Do NOT create a public GitHub issue for security vulnerabilities
Use GitHub's private vulnerability reporting (preferred)
Or email:

What to Include

Description of the vulnerability
Steps to reproduce
Potential impact
Suggested fix (if any)

Response Timeline

Action	Timeframe
Acknowledgment	Within 48 hours
Status update	Every 7 days
Resolution	Depends on severity

After Resolution

We'll coordinate disclosure timing with you
With permission, we'll credit you in the security advisory

Supported Versions

Version	Supported
Latest	Yes
Previous major	Security fixes only
Older	No

Security Best Practices

This repository follows security best practices:

Dependencies monitored by Dependabot
GitHub Actions pinned to SHA
Secrets never committed (see .gitignore)
Push protection enabled (recommended)

Enabling Additional Security Features

In your repository settings, consider enabling:

Secret scanning - Detects committed secrets
Push protection - Blocks pushes with secrets
Dependabot alerts - Notifies of vulnerable dependencies
Code scanning - Finds vulnerabilities via CodeQL

See GitHub Security Features for setup instructions.