| Version | Supported |
|---|---|
| 1.0.x | β |
| < 1.0 | β |
Only the latest stable version receives security updates.
If you discover a security vulnerability within this project, please follow these steps:
Security vulnerabilities should be reported privately to allow time for a fix.
Contact the maintainer directly:
π§ Email: miladvf2014@gmail.com
Please include:
- Description of the vulnerability
- Steps to reproduce (if possible)
- Potential impact
- Any suggested fixes (optional)
For highly sensitive reports, you can request a GPG key via email.
| Step | Timeline | Description |
|---|---|---|
| 1 | 24-48 hours | Acknowledgment of your report |
| 2 | 5-7 days | Investigation and verification |
| 3 | 7-14 days | Fix development and testing |
| 4 | 24 hours | Patch release and public disclosure |
This project includes the following security features:
| Feature | Status | Description |
|---|---|---|
| SAST (Bandit) | β | Static code analysis on every PR |
| Dependency scanning (Safety) | β | Checks for vulnerable packages |
| Unit security tests | β | 22 tests (DoS, Memory, Unicode, XSS) |
| GitHub CodeQL | Coming in v1.1.0 | |
| Secret scanning | β | TruffleHog on every push |
Currently, there are no known security vulnerabilities in this project.
If you find one, please report it using the process above.
# Run all security tests
python -m unittest discover tests/security -v
# Run specific security test
python tests/security/test_xss_prevention.py
python tests/security/test_dos_attack.py
python tests/security/test_memory_exhaustion.py
python tests/security/test_unicode_attacks.pyThis project uses automated dependency scanning via GitHub Actions.
To check dependencies manually:
# Install safety
pip install safety
# Check requirements file
safety check -r requirements_full.txt
# Check installed packages
safety check --full-reportWe follow industry-standard responsible disclosure practices:
- Reporter privately discloses the vulnerability
- Maintainer acknowledges within 48 hours
- Fix is developed and tested
- Patch is released
- Vulnerability is publicly disclosed (with credit to reporter)
Security researchers who report valid vulnerabilities will be:
- Credited in the CHANGELOG
- Added to the CONTRIBUTORS list
- Thanked publicly (if desired)
Thank you for helping keep this project secure! π