We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depend on the version number:

We take all security vulnerabilities seriously. Thank you for improving the security of our open-source software. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.

DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report vulnerabilities by emailing [SECURITY_EMAIL] with the subject line containing "[SECURITY]" followed by a brief description of the issue.

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

We prefer all communications to be in English.

• Security updates will be released as minor or patch version updates
• Security advisories will be published as GitHub Security Advisories
• Critical security vulnerabilities will be announced through the repository's security advisory feature

• Keep all dependencies up to date
• Use pip-audit to check for known vulnerabilities in dependencies
• Review and update requirements.txt regularly

1. Input Validation

   • Validate all user inputs
   • Use parameterized queries to prevent SQL injection
   • Sanitize all inputs to prevent XSS and other injection attacks

2. Authentication & Authorization

   • Implement proper authentication mechanisms
   • Use strong password policies
   • Implement proper session management
   • Follow the principle of least privilege

3. Data Protection

   • Encrypt sensitive data at rest and in transit
   • Use HTTPS for all communications
   • Never commit sensitive information (API keys, passwords) to version control

4. Error Handling

   • Implement proper error handling
   • Don't expose sensitive information in error messages
   • Log errors securely

5. Dependency Security

   • Regularly update dependencies
   • Remove unused dependencies
   • Use dependency checking tools

We recommend using the following tools to identify security issues:

• bandit - Security linter for Python code
• safety - Checks Python dependencies for known security vulnerabilities
• pip-audit - Audits Python environments for packages with known vulnerabilities
• truffleHog - Finds secrets accidentally committed to git repositories

All contributors are encouraged to complete the following free security training:

• OWASP Top 10
• GitHub Security Lab
• SANS Cyber Aces Online

This security policy may be updated from time to time. The version history can be viewed by checking the repository's commit history.