This is the Security Policy of the @performanc/voice project. Made to ensure the quality and security of the project, the developers and users of any application made by it.
Only security vulnerabilities are supported when applicable to the latest version of the project. The latest version is marked as the main branch or the latest release.
Note
Branches actively being developed may or may not be supported. Always check the README for better information about its status.
Security vulnerabilities must be privately reported through GitHub Issues. To report a vulnerability, use the Report a vulnerability option in the Issues tab of the repository.
It's recommended to not disclose the vulnerability publicly until it's fixed and the latest version is released. However, there are no restrictions on the disclosure of the vulnerability and no legal actions will be taken against the reporter.
As soon as the vulnerability is confirmed, The PerformanC Organization Team will work on a fix. The fix will be released as soon as possible, and it will be announced in the Releases tab of the repository.
Security vulnerabilities are classified by their severity. The severity is determined by the impact of the vulnerability on the project and its users. The severity is classified as follows:
-
Critical: Leads to privilege escalation or remote code execution.
-
High: Leads to data manipulation or sensitive data exposure.
-
Medium: Leads to non-sensitive data exposure, or denial of service attacks (DoS).
-
Low: Leads to manipulation of data marked as untrusted, or wrong behavior of the application that doesn't affect the security of the project.
Note
The PerformanC Organization Team has the right to change the severity of the vulnerability if it doesn't accurately represent the impact of the vulnerability, properly representing the impact of the vulnerability.