We actively support the following versions of OpenMorph with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
-
GitHub Security Advisories (Preferred)
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with detailed information
-
Direct Contact
- Create a private issue or contact repository maintainers
- Include "SECURITY" in the subject line
Please include the following information:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
- Initial Response: Within 24 hours
- Assessment: Within 72 hours of initial report
- Status Updates: Every 72 hours until resolution
- Fix Timeline: Depends on severity
- Critical: 24-48 hours
- High: Within 1 week
- Medium: Within 2 weeks
- Low: Next regular release
- We will acknowledge receipt of your vulnerability report within 24 hours
- We will provide an estimated timeline for addressing the vulnerability
- We will notify you when the vulnerability is fixed
- We will publicly disclose the vulnerability after a fix is released
- We may ask you to keep the vulnerability confidential until we can address it
- Investigation: Verify and assess the vulnerability
- Fix Development: Develop and test the security fix
- Release: Create a security patch release
- Notification: Notify users through GitHub releases and security advisories
- Documentation: Update security documentation
We appreciate the security community's efforts to improve OpenMorph's security. Contributors who report valid security vulnerabilities will be:
- Acknowledged in the security advisory (if desired)
- Listed in our security contributors section
- Provided with early access to the fix for verification
- Always download OpenMorph from official sources
- Verify checksums and signatures when available
- Use the latest version to get security updates
- Store configuration files with appropriate permissions (644)
- Use environment variables for sensitive configuration
- Regularly review and audit your configuration
- Keep OpenMorph updated to the latest version
- Monitor GitHub releases and security advisories
- Report any suspicious behavior or potential security issues
OpenMorph includes several security features:
- Input validation and sanitization
- Secure file handling with proper permissions
- Vulnerability scanning in CI/CD pipeline
- Regular dependency security updates
- Static code analysis for security issues
For general security questions or concerns that are not vulnerabilities, please:
- Open a GitHub issue with the "security" label
- Start a GitHub discussion in the Security category
This security policy is based on industry best practices and will be reviewed and updated regularly to ensure it remains effective and current.