Last Updated: February 2026
Version: 1.0.0
Status: Active
- Supported Versions
- Reporting a Vulnerability
- Security Response Timeline
- Disclosure Policy
- Security Best Practices
- Contact Information
We provide security updates for the following versions:
| Version | Supported | End of Support |
|---|---|---|
| 1.0.x | β | Current |
| 0.9.x | β | 2026-03-01 |
| 0.8.x | β | 2026-02-01 |
| < 0.8 | β | Unsupported |
Recommendation: Always use the latest stable version for security updates.
We take all security vulnerabilities seriously. If you discover a security issue, please follow this process:
Important: Security vulnerabilities should NOT be reported through public GitHub issues to prevent potential exploitation before a fix is available.
- Go to the Security Tab on GitHub
- Click "Report a vulnerability"
- Provide detailed information about the vulnerability
Send an encrypted email to: security@biometrics.dev
PGP Key Fingerprint: TODO: Add PGP Key
When reporting a vulnerability, please provide:
- Description: Clear description of the vulnerability
- Impact: Potential impact if exploited
- Reproduction Steps: Detailed steps to reproduce the issue
- Affected Versions: Which versions are affected
- Suggested Fix: If you have a suggestion for fixing it
- Contact Info: Your contact information for follow-up questions
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 7 days
- Regular Updates: Every 7 days during investigation
- Resolution Timeline: Depends on severity (see below)
We follow a structured response timeline based on vulnerability severity:
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 48 hours
- Fix Development: 7 days
- Patch Release: 14 days
- Public Disclosure: 30 days after patch
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 5 days
- Fix Development: 14 days
- Patch Release: 21 days
- Public Disclosure: 45 days after patch
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Fix Development: 30 days
- Patch Release: 45 days
- Public Disclosure: 60 days after patch
- Acknowledgment: Within 7 days
- Initial Assessment: Within 14 days
- Fix Development: 60 days
- Patch Release: 90 days
- Public Disclosure: 120 days after patch
We follow a coordinated disclosure approach:
- Private Report: Vulnerability reported privately
- Investigation: We investigate and develop a fix
- Patch Release: Security update is released
- Public Advisory: After 30 days, public advisory is published
- CVE Assignment: If applicable, CVE is assigned and published
- Security vulnerabilities are kept under embargo until patch is released
- Researchers are asked to respect the embargo period (typically 30 days)
- Early disclosure may be granted to critical infrastructure providers if needed
We believe in recognizing security researchers:
- Hall of Fame: Contributors are listed in our Security Hall of Fame
- Acknowledgment: Public acknowledgment in release notes (unless anonymous requested)
- CVE Credit: Your name/handle in CVE description (if applicable)
Request Anonymity: If you prefer to remain anonymous, please let us know.
- Keep Updated: Always use the latest stable version
- Monitor Advisories: Watch the Security Advisories page
- Secure Configuration: Follow our security configuration guide
- Secrets Management: Never commit secrets to version control
- Access Control: Implement proper authentication and authorization
- Network Security: Use firewalls and network segmentation
- Regular Audits: Conduct regular security audits
- Incident Response: Have an incident response plan ready
- Security-First Mindset: Consider security implications of all code changes
- Input Validation: Always validate and sanitize user input
- Authentication: Use secure authentication mechanisms
- Encryption: Encrypt sensitive data at rest and in transit
- Error Handling: Don't expose sensitive information in error messages
- Dependencies: Keep dependencies up to date
- Code Review: All code changes require security review
- Testing: Include security tests in your test suite
- OWASP Top 10: Follow OWASP Top 10 security guidelines
- Secure Coding: Adhere to secure coding standards
- Dependency Scanning: Automated vulnerability scanning on every PR
- Static Analysis: SAST tools run on all code changes
- Secret Scanning: Automated secret detection in all commits
BIOMETRICS employs multiple automated security scanning tools:
| Tool | Purpose | Frequency |
|---|---|---|
| govulncheck | Go dependency vulnerabilities | Every PR + Daily |
| Gitleaks | Secret detection | Every PR |
| TruffleHog | Secret detection (secondary) | Every PR |
| Semgrep | Static Application Security Testing (SAST) | Every PR |
| CodeQL | Code security analysis | Every PR |
| Dependabot | Dependency updates | Weekly |
| License Check | License compliance | Every PR |
All security scans run automatically:
- On Push: To
mainanddevelopbranches - On Pull Request: All PRs are scanned
- Scheduled: Daily comprehensive scan at 3:00 AM UTC
- Manual: Can be triggered on-demand
- Least Privilege: Minimal permissions for all services
- Role-Based Access: RBAC implemented throughout
- Audit Logging: All access is logged and auditable
- Session Management: Secure session handling with JWT
- Encryption at Rest: All sensitive data encrypted
- Encryption in Transit: TLS 1.3 for all communications
- Data Minimization: Only collect necessary data
- Retention Policies: Automatic data purging
- Email: security@biometrics.dev
- Response Time: Within 24 hours
- PGP Key: Download PGP Key (TODO: Add when available)
For critical security issues requiring immediate attention:
- Emergency Email: security-emergency@biometrics.dev
- Response Time: Within 4 hours for Critical severity
For non-security related questions:
- GitHub Issues: Create an Issue
- Discord: Join our Discord
- Email: support@biometrics.dev
We maintain a safe harbor policy for security researchers:
- Good Faith: Research conducted in good faith will not result in legal action
- No Unauthorized Access: Do not access data you don't own
- No Disruption: Do not disrupt production services
- Confidentiality: Respect data privacy and confidentiality
By reporting a vulnerability, you agree to:
- Keep the vulnerability confidential until public disclosure
- Allow us time to investigate and remediate
- Not exploit the vulnerability for malicious purposes
- Comply with all applicable laws and regulations
- Security Procedures - Detailed security processes
- Incident Response Plan - How we handle incidents
- Security Architecture - Technical security details
We recognize security researchers who have helped improve BIOMETRICS security:
| Researcher | Vulnerability | Date | Severity |
|---|---|---|---|
| Your name here! | - | - | - |
Want to be listed? Report a valid security vulnerability and help us improve!
- Initial security policy publication
- Implemented automated security scanning
- Established vulnerability disclosure process
- Created security response team
Last Reviewed: February 2026
Next Review: May 2026 (Quarterly)
Policy Owner: Security Team