Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: create security policy #322

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: create security policy #322

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Security Policy

## Reporting Security Issues

If you discover any security vulnerabilities or issues in the mutapath library, please report them immediately to our security team by sending an email to [email protected]. We kindly request that you do not publicly disclose any potential security issues until they have been assessed and resolved by our team.

## Supported Versions

Currently, we are actively supporting the following version of mutapath with security updates:

| Version | Supported |
| ------- | ------------------ |
| ^ 0.17 | :white_check_mark: |
| < 0.17 | :x: |

For the most secure experience, we highly recommend using the latest supported version of mutapath.

## Dependency Auditing and Updates

To maintain the security of our project, we employ two tools for dependency management:

1. **Packj**: Packj.dev is used to audit our Python packages and detect malicious, vulnerable, abandoned, typo-squatting, and other "risky" packages. This helps us ensure that the dependencies we use are safe and reliable.

2. **Renovate Bot**: We use Renovate Bot to automatically keep our dependencies up-to-date with the latest versions, including security patches. This minimizes the risk of using outdated dependencies with known vulnerabilities.

3. **Fossa**: We use Fossa for license compliance checking and security screening of the mutapath library. Fossa helps us identify potential license conflicts and security vulnerabilities in our dependencies, enabling us to maintain a high level of code quality and security.

## Responsible Disclosure

As mentioned earlier, we take security very seriously and appreciate the efforts of security researchers and contributors in responsibly disclosing potential vulnerabilities. Once we receive a report of a security issue, we will follow the following steps:

1. We will review the report and assess the impact and severity of the issue.
2. We will work on developing and testing a fix for the issue.
3. A security advisory will be prepared, including details about the vulnerability and the fix.
4. The fix will be released in the latest supported version and, if necessary, backported to older supported versions.
5. The security advisory will be made public to the community after the fix has been released, to encourage users to update their installations.

We strive to handle security issues promptly and transparently while ensuring the safety of our users.

Thank you for your support and cooperation in making the mutapath library secure and reliable for all users.