We actively support the following versions with security updates:

We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:

Please do not create a public GitHub issue for security vulnerabilities. This helps protect users before a fix is available.

Send an email to security@nathanvale.com with the following information:

• Subject: Security Vulnerability Report
• Description: A clear description of the vulnerability
• Steps to Reproduce: Detailed steps to reproduce the issue
• Impact: What the vulnerability could allow an attacker to do
• Affected Versions: Which versions are affected
• Suggested Fix: If you have ideas for how to fix it (optional)

• Acknowledgment: We will acknowledge receipt of your report within 2 business days
• Initial Assessment: We will provide an initial assessment within 5 business days
• Progress Updates: We will keep you informed of our progress
• Resolution: We aim to resolve critical vulnerabilities within 30 days

• We will work with you to understand the vulnerability
• We will develop and test a fix
• We will release the fix and publish a security advisory
• We will credit you for the discovery (unless you prefer to remain anonymous)

This project includes several automated security measures:

• Dependency Scanning: Automated npm audit checks for known vulnerabilities
• SAST Analysis: Static Application Security Testing using CodeQL
• Secret Detection: Scanning for hardcoded secrets and credentials
• License Compliance: Checking for problematic open source licenses

Our CI/CD pipeline includes:

• Weekly security scans on schedule
• Security checks on every pull request
• Automated Dependabot updates for vulnerable dependencies
• CodeQL analysis for common security vulnerabilities

We follow these security best practices:

• Principle of Least Privilege: Minimal permissions for CI/CD workflows
• Dependency Management: Regular updates and vulnerability monitoring
• Secure Defaults: Secure configuration out of the box
• Input Validation: Proper validation of all inputs
• Error Handling: No sensitive information in error messages

We have enabled:

• Dependency vulnerability alerts
• Dependabot security updates
• CodeQL security analysis
• Secret scanning
• Private vulnerability reporting

We regularly:

• Monitor dependencies for security vulnerabilities
• Update dependencies to patch security issues
• Remove unused dependencies to reduce attack surface
• Use specific version pinning for critical dependencies

When we receive a security report:

1. Day 0: Vulnerability reported
2. Day 1-2: Acknowledgment sent
3. Day 3-5: Initial assessment completed
4. Day 6-30: Fix development and testing
5. Day 30: Public disclosure (or sooner if appropriate)

For security-related questions or concerns:

• Email: security@nathanvale.com
• PGP Key: Available upon request
• Response Time: 2 business days

We appreciate security researchers who help keep our project secure:

No vulnerabilities have been reported yet.

This security policy is subject to our Code of Conduct and License.

Note: This security policy applies to the monorepo template itself. Individual packages within the monorepo may have their own security considerations.