Skip to content

Security: miladrezanezhad/sir_simulator

Security

SECURITY.md

πŸ”’ Security Policy

Supported Versions

Version Supported
1.0.x βœ…
< 1.0 ❌

Only the latest stable version receives security updates.


πŸ›‘οΈ Reporting a Vulnerability

If you discover a security vulnerability within this project, please follow these steps:

1. Do NOT create a public issue

Security vulnerabilities should be reported privately to allow time for a fix.

2. Send an email

Contact the maintainer directly:

πŸ“§ Email: miladvf2014@gmail.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce (if possible)
  • Potential impact
  • Any suggested fixes (optional)

3. Use GPG encryption (optional)

For highly sensitive reports, you can request a GPG key via email.


πŸ“‹ What to Expect

Step Timeline Description
1 24-48 hours Acknowledgment of your report
2 5-7 days Investigation and verification
3 7-14 days Fix development and testing
4 24 hours Patch release and public disclosure

βœ… Security Measures in Place

This project includes the following security features:

Feature Status Description
SAST (Bandit) βœ… Static code analysis on every PR
Dependency scanning (Safety) βœ… Checks for vulnerable packages
Unit security tests βœ… 22 tests (DoS, Memory, Unicode, XSS)
GitHub CodeQL ⚠️ Coming in v1.1.0
Secret scanning βœ… TruffleHog on every push

πŸ”’ Known Vulnerabilities

Currently, there are no known security vulnerabilities in this project.

If you find one, please report it using the process above.


πŸ§ͺ Running Security Tests Locally

# Run all security tests
python -m unittest discover tests/security -v

# Run specific security test
python tests/security/test_xss_prevention.py
python tests/security/test_dos_attack.py
python tests/security/test_memory_exhaustion.py
python tests/security/test_unicode_attacks.py

πŸ“¦ Dependency Security

This project uses automated dependency scanning via GitHub Actions.

To check dependencies manually:

# Install safety
pip install safety

# Check requirements file
safety check -r requirements_full.txt

# Check installed packages
safety check --full-report

πŸ”„ Responsible Disclosure

We follow industry-standard responsible disclosure practices:

  1. Reporter privately discloses the vulnerability
  2. Maintainer acknowledges within 48 hours
  3. Fix is developed and tested
  4. Patch is released
  5. Vulnerability is publicly disclosed (with credit to reporter)

πŸ† Acknowledgements

Security researchers who report valid vulnerabilities will be:

  • Credited in the CHANGELOG
  • Added to the CONTRIBUTORS list
  • Thanked publicly (if desired)

πŸ“š Additional Resources


Thank you for helping keep this project secure! πŸ”’

⬆ Back to Top

There aren't any published security advisories