DotNetExtensions.OAuth20 is committed to maintaining project security and ensuring a safe experience for all users. We appreciate your efforts to responsibly disclose vulnerabilities and help us improve our software.

The following versions of DotNetExtensions.OAuth20 currently receive security updates:

Note: As the project is still in development, actual release versions will be updated here once available.

If you discover a security vulnerability within the DotNetExtensions.OAuth20 project, we encourage you to report it responsibly. Please do not disclose the details publicly until we have addressed it.

1. GitHub Private Vulnerability Reporting (Preferred):

   • Navigate to the Security tab of our repository.
   • Click on "Report a vulnerability".
   • Fill out the form with detailed information about the vulnerability.

   For more information, see GitHub's guide on reporting vulnerabilities.

2. Email Reporting:

   • If you are unable to use GitHub's reporting feature, please send an email to security@dotnetextensions.com.
   • Include as much detail as possible about the vulnerability to help us assess and address it promptly.

Confidentiality:

We take your privacy seriously. All communications regarding security vulnerabilities are kept confidential. We will not share your personal information without your explicit permission.

After a vulnerability is reported, our team will:

1. Verify the Issue: Reproduce and confirm the vulnerability.
2. Assess the Impact: Evaluate the severity and potential impact.
3. Develop a Fix: Work on a patch or update to resolve the issue.
4. Release Updates: Publish the necessary updates and inform users.
5. Public Disclosure: Once resolved, we will disclose the details in the CHANGELOG.md file of a related repository.

We believe in responsible disclosure and adhere to the following principles:

• Vulnerabilities will be disclosed publicly only after a fix has been implemented and released.
• We will credit the individual or organization that reported the vulnerability unless they prefer to remain anonymous.
• If a vulnerability cannot be immediately fixed, we will provide temporary mitigations or workarounds.

We aim to release security updates promptly after confirming a vulnerability and developing a fix. While we cannot commit to specific timelines, we prioritize security issues and strive to address them as quickly as possible.

We continuously enhance our security practices using automated tools:

• Code Scanning: Utilizing GitHub's CodeQL to automatically analyze our code for vulnerabilities.
• Dependabot Alerts: Enabled to monitor and notify us of vulnerabilities in our dependencies.

Note: As the project is still in development, security automation building is currently in the setup phase.

Please ensure that you do not commit any sensitive information to the repository, such as API keys, passwords, or access tokens. Our repository has Secret Scanning and Push Protection enabled to prevent accidental exposure of secrets.

Guidelines:

• Review your commits to ensure they do not contain sensitive data.
• If you accidentally commit a secret, please contact us immediately so we can assist in mitigating any potential risks.

For more details on our security practices and policies, please refer to:

• OAuth 2.0 RFC 6749
• OWASP Security Best Practices

Thank you for helping us maintain the security of DotNetExtensions.OAuth20.