If you discover a security vulnerability in this project, please report it responsibly. Do not open a public GitHub issue for security vulnerabilities.
- Email: Send a detailed report to security-opensource@gruposantander.com
- GitHub Security Advisories: Alternatively, use GitHub Security Advisories to report privately.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Stage | SLA |
|---|---|
| Acknowledgment of report | < 48 hours |
| Initial assessment and severity classification | < 7 days |
| Fix for Critical/High severity | < 30 days |
| Fix for Medium/Low severity | < 90 days |
- We will acknowledge your report within 48 hours.
- We will investigate and determine the severity.
- We will develop and test a fix.
- We will release the fix and publish a security advisory.
- We will credit you publicly in the advisory and CHANGELOG (unless you prefer to remain anonymous).
This security policy applies only to code in this repository. It does not cover:
- Santander's internal infrastructure or systems
- Other Santander products or services
- Third-party dependencies (report those to the respective maintainers)
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous minor release | Security fixes only |
| Older versions | No |
- Never commit secrets, API keys, tokens, or credentials
- Never commit internal URLs, IP addresses, or corporate email addresses
- Never commit personally identifiable information (PII) or customer data
- Use environment variables for any configuration that could be sensitive
- Keep dependencies up to date (Dependabot is enabled on this repository)
We follow a coordinated disclosure process. We ask that you:
- Give us reasonable time to fix the vulnerability before public disclosure
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
- Do not access or modify data that does not belong to you