We actively support the following versions with security updates:

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. Go to Security Advisories
2. Click "New draft security advisory"
3. Fill out the form with details about the vulnerability

If you prefer not to use GitHub's security advisory system, you can email security concerns to:

• Email: halomastar@gmail.com
• Subject: [SECURITY] PyKotor Vulnerability Report

When reporting a vulnerability, please include:

• Description: A clear description of the vulnerability
• Impact: What could an attacker do with this vulnerability?
• Affected Packages: Which PyKotor packages are affected?
• Steps to Reproduce: Detailed steps to reproduce the issue
• Proof of Concept: If possible, provide a minimal proof of concept
• Suggested Fix: If you have ideas on how to fix it, please share them

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity, typically:
  • Critical: 24-48 hours
  • High: 1-2 weeks
  • Medium: 2-4 weeks
  • Low: Next release cycle

1. Keep dependencies updated: Regularly update PyKotor and its dependencies
2. Use virtual environments: Isolate your project dependencies
3. Review code: When using PyKotor in production, review the code you're using
4. Report issues: If you find a security issue, report it responsibly

1. Security reviews: All code changes should be reviewed for security implications
2. Dependency updates: Keep dependencies updated and review security advisories
3. Input validation: Always validate and sanitize user input
4. Secure defaults: Use secure defaults in all configurations

• PyKotor processes game files which may come from untrusted sources
• Always validate file paths and content before processing
• Be cautious when extracting or writing files

• Use the secure_xml extra to enable defusedxml for secure XML parsing
• Never parse XML from untrusted sources without defusedxml

• Use the encodings extra for charset-normalizer when processing untrusted text
• Always validate encoding before processing text data

• We follow responsible disclosure practices
• Vulnerabilities will be disclosed after a fix is available
• Credit will be given to reporters (unless they prefer to remain anonymous)
• A CVE will be requested for significant vulnerabilities

Security updates will be:

• Released as patch versions (e.g., 2.0.2 -> 2.0.3)
• Documented in release notes
• Tagged with security labels on GitHub
• Announced via GitHub releases

We appreciate your help in keeping PyKotor secure. Thank you for responsibly reporting vulnerabilities!