| Version | Supported |
|---|---|
| latest | ✅ |
| < 1.0 | ❌ |
Only the latest release receives security updates. We recommend always running the most recent version.
Do not open a public GitHub issue for security vulnerabilities.
Please report security vulnerabilities via email to irfnhm@gmail.com or use GitHub's private vulnerability reporting.
Include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Resolution target: Within 30 days for critical issues
We follow coordinated disclosure. We will:
- Confirm receipt of your report
- Investigate and validate the issue
- Develop and test a fix
- Release the fix and publish an advisory
- Credit you (unless you prefer anonymity)
We ask that you do not publicly disclose the vulnerability until we have released a fix.
This project:
- Uses bcrypt for password hashing
- Implements AES-256-GCM for encryption
- Pins CI/CD dependencies to specific commit SHAs
- Runs automated security scanning (govulncheck, gosec, Trivy)
- Follows least-privilege principles for GitHub Actions workflows