We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| 1.5.x | ✅ |
| < 1.5 | ❌ |
If you discover a security vulnerability within this project, please send an email to wes@wesellis.com. All security vulnerabilities will be promptly addressed.
Please include the following information:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
This project implements the following security measures:
- JWT-based authentication with short-lived tokens
- OAuth 2.0 support for third-party integrations
- Role-based access control (RBAC)
- Multi-factor authentication (MFA) support
- All sensitive data encrypted at rest using AES-256
- TLS 1.3 for all data in transit
- Secrets managed via HashiCorp Vault or Azure Key Vault
- No hardcoded credentials or API keys
- All user inputs sanitized and validated
- SQL injection prevention via parameterized queries
- XSS protection through content security policies
- Command injection prevention
- Comprehensive audit logging
- GDPR/CCPA compliance features
- Regular security scanning with tools like:
- Dependabot for dependency vulnerabilities
- CodeQL for code analysis
- Trivy for container scanning
- OWASP ZAP for web vulnerabilities
- Network segmentation
- Firewall rules and security groups
- Regular security updates and patches
- Principle of least privilege
Before deploying to production:
- All dependencies updated to latest secure versions
- Security scanning completed with no high/critical issues
- Secrets rotated and stored securely
- SSL/TLS certificates valid and properly configured
- Access controls reviewed and tested
- Audit logging enabled and tested
- Backup and recovery procedures tested
- Incident response plan documented
For security concerns, please contact:
- Email: wes@wesellis.com
- GitHub Security Advisories: Create Advisory