We currently support the following versions of AutoML with security updates:

We take security vulnerabilities seriously. If you discover a security vulnerability in AutoML, please report it responsibly.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. Email: Send details to [security@automl.example.com] (replace with actual email)
2. GitHub Security Advisory: Use GitHub's private vulnerability reporting feature
3. Direct Contact: Reach out to the project maintainers directly

Please include the following information in your report:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

• Initial Response: We will acknowledge receipt of your vulnerability report within 48 hours
• Investigation: We will investigate and validate the reported vulnerability within 5 business days
• Resolution: We aim to resolve critical vulnerabilities within 30 days
• Disclosure: We will coordinate with you on the timing of public disclosure

1. We will develop and test a fix
2. We will prepare a security advisory
3. We will release the patched version
4. We will publish the security advisory with credits to the reporter (unless they prefer to remain anonymous)

When contributing to AutoML, please follow these security guidelines:

• Validate all user inputs
• Use parameterized queries to prevent SQL injection
• Sanitize data before output to prevent XSS
• Follow the principle of least privilege
• Keep dependencies up to date

• Implement proper authentication and authorization
• Use HTTPS for all communications
• Rate limit API endpoints
• Validate and sanitize all API inputs

• Use environment variables for sensitive configuration
• Never commit credentials to the repository
• Use connection pooling and prepared statements
• Implement proper access controls

• Sanitize user-generated content
• Implement Content Security Policy (CSP)
• Use secure cookie settings
• Validate all client-side inputs on the server

We regularly monitor our dependencies for known vulnerabilities using:

• GitHub Dependabot alerts
• npm audit
• Regular dependency updates

• All environments use HTTPS
• Database connections are encrypted
• Regular security updates are applied
• Access logs are monitored

• We follow responsible disclosure practices
• Security researchers who report vulnerabilities will be credited (unless they prefer anonymity)
• We will not pursue legal action against researchers who follow our responsible disclosure policy

For any questions about this security policy, please contact:

• Project Maintainer: [maintainer@automl.example.com]
• Security Team: [security@automl.example.com]

Note: Please replace the example email addresses with actual contact information before publishing.