| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email security concerns to the maintainers. You can find contact information in the repository's profile or reach out via GitHub's private vulnerability reporting feature if available.
When reporting a vulnerability, please include:
- Description: A clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact Assessment: Your assessment of the potential impact
- Affected Versions: Which versions are affected (if known)
- Suggested Fix: Any suggestions for remediation (optional)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Timeline:
- Critical: Target fix within 7 days
- High: Target fix within 30 days
- Medium/Low: Target fix within 90 days
- Acknowledgment: We'll acknowledge receipt of your report
- Investigation: We'll investigate and validate the vulnerability
- Resolution: We'll work on a fix and coordinate disclosure
- Credit: We'll credit you in the release notes (unless you prefer anonymity)
This project employs several security measures:
- CodeQL: Static analysis for security vulnerabilities
- Trivy: Vulnerability scanning for dependencies
- Dependabot: Automated dependency updates
- All code changes require pull request review
- CI/CD pipelines run security scans on every PR
- Dependencies are regularly updated
- Strict linting with zero-tolerance for issues
This security policy applies to:
- The confvis CLI tool
- All official confvis source integrations
- Documentation and examples
Out of scope:
- Third-party integrations not maintained by this project
- Issues in upstream dependencies (please report these to the relevant projects)
We appreciate the security researchers who help keep confvis secure. Contributors will be acknowledged here (with permission).