| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to security@deepcitation.com.
Please include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Impact assessment (if known)
- Any potential mitigations you have identified
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Fix development: Dependent on severity
- Critical: Within 7 days
- High: Within 14 days
- Medium/Low: Within 30 days
The following are in scope:
- The
deepcitationnpm package (source code insrc/) - React components exported from the package
- Client-side API communication (
src/client/) - Citation parsing logic (
src/parsing/)
The following are out of scope:
- The DeepCitation API server (api.deepcitation.com) — report separately to security@deepcitation.com
- Example applications in
examples/ - Documentation site
- Third-party dependencies (report to their respective maintainers)
We follow coordinated disclosure. We will:
- Confirm the vulnerability and determine affected versions
- Develop and test a fix
- Release the fix and publish a security advisory via GitHub
- Credit the reporter (unless anonymity is preferred)
- Always use the latest version of
deepcitation - Store API keys in environment variables, never in code
- Use HTTPS for all API communication (enforced by default)
- Review the npm provenance attestation on published packages