We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
-
API Key Security:
- Never share your Clockify API key
- Don't commit API keys to version control
- Use environment variables in CI/CD:
CLOCKIFY_API_KEY - Regularly rotate your API keys
-
Installation Security:
- Install only from official sources (npm, GitHub releases)
- Verify package integrity using npm's built-in verification
- Keep the CLI updated to the latest version
-
System Security:
- Ensure your system keychain/credential manager is secure
- Use appropriate file permissions for config files
- Regular system updates and security patches
-
Code Security:
- All inputs are validated and sanitized
- No secrets in source code
- Secure API communication (HTTPS only)
- Regular dependency updates and security audits
-
Data Protection:
- Minimal data collection and storage
- Secure credential storage using OS keychain
- Local-first approach for sensitive data
- Clear data retention policies
We take security vulnerabilities seriously. Please follow responsible disclosure:
- Email: Send details to
security@your-domain.com - GitHub Security: Use GitHub Security Advisories
- Include:
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if known)
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Regular Updates: Every 7 days until resolution
- Public Disclosure: After fix is available and users have time to update
- Day 0: Vulnerability reported
- Day 1: Acknowledgment and initial triage
- Day 3: Detailed assessment and severity classification
- Day 7-30: Fix development and testing
- Day 30+: Coordinated public disclosure
- API keys stored securely in OS credential manager (Keychain/Windows Credential Store)
- Support for environment variable authentication
- No hardcoded credentials or secrets
- All user inputs sanitized to prevent injection attacks
- Strict validation of API responses
- Length limits and format validation
- HTTPS-only communication with Clockify API
- Certificate verification and pinning
- Request/response timeout handling
- Proper User-Agent identification
- Regular
npm auditscanning - Snyk integration for advanced vulnerability detection
- Automated dependency updates for security patches
- SPDX license compliance checking
- TypeScript strict mode for type safety
- ESLint security rules and static analysis
- Pre-commit hooks for security checks
- Secure CI/CD pipeline
- Minimal data collection principles
- Local-first data storage approach
- Secure deletion of sensitive data
- No telemetry or tracking without explicit consent
- GitHub Dependabot for dependency updates
- Snyk for vulnerability scanning
- CodeQL for code security analysis
- npm audit in CI/CD pipeline
- Code review requirements for all changes
- Security-focused PR reviews
- Regular security audits
- Penetration testing for major releases
In case of a confirmed security incident:
-
Immediate Response (0-24h):
- Confirm and assess the vulnerability
- Determine scope and impact
- Prepare hotfix if critical
-
Short-term Response (1-7 days):
- Develop and test comprehensive fix
- Prepare security advisory
- Coordinate with affected users
-
Long-term Response (7+ days):
- Release patched version
- Public disclosure and communication
- Post-incident review and improvements
- Security Email: security@your-domain.com
- GitHub Security: Security Advisories
- Maintainer: @yourusername
We appreciate security researchers and users who help improve our security:
- Responsible disclosure participants
- Security audit contributors
- Community security feedback
Note: This security policy is regularly reviewed and updated. Last updated: 2024-01-01