| Version | Supported |
|---|---|
Latest main |
✅ |
| Previous tagged release | ✅ (security fixes only) |
| Anything older | ❌ |
Please do NOT open a public GitHub issue for security reports.
Use one of these private channels:
- GitHub Security Advisories (preferred): https://github.com/DeepakChander/CA-Project/security/advisories/new
- Email:
security@ca-project.com(PGP key on request)
- Description of the vulnerability and impact
- Steps to reproduce (do not include real client data)
- Affected version / environment
- Your contact info so we can reach you
| Stage | SLA |
|---|---|
| Acknowledgement | within 2 business days |
| Initial assessment | within 5 business days |
| Fix or mitigation | depends on severity: P0 (in-the-wild exploit) within 24 hours; P1 within 7 days; P2 within 30 days |
| Disclosure | coordinated with the reporter |
We follow a 90-day responsible disclosure window unless a shorter window is warranted (active exploitation, customer data risk).
- Volumetric DDoS testing
- Social engineering of our staff
- Physical attacks
- Issues only present in unsupported / outdated browsers
We publicly thank researchers who report valid vulnerabilities (with their consent). Future: paid bug bounty programme.
If your report references real client data (PAN, GSTIN, Aadhaar, books data):
- Redact identifying fields before sending
- Or, if redaction is impractical, mark the report CRITICAL so we treat handling appropriately
- We will delete unnecessary copies once the issue is resolved
This project handles data covered by:
- DPDP Act 2023 (India) — breach reporting to Data Protection Board within 72 hours
- CERT-In directives — incident reporting within 6 hours of detection
Security findings of high severity may trigger these obligations.