We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability, please report it responsibly.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please email us at security@adverant.ai with:
- Description: A clear description of the vulnerability
- Impact: What could an attacker do with this vulnerability?
- Reproduction Steps: Detailed steps to reproduce the issue
- Affected Versions: Which versions are affected?
- Possible Fix: If you have suggestions for how to fix it
- Acknowledgment: We will acknowledge receipt within 48 hours
- Initial Assessment: We'll provide an initial assessment within 7 days
- Updates: We'll keep you informed of our progress
- Resolution: We aim to resolve critical vulnerabilities within 30 days
- Disclosure: We'll coordinate public disclosure timing with you
We support responsible security research. We will not take legal action against researchers who:
- Make a good faith effort to avoid privacy violations, data destruction, or service interruption
- Report vulnerabilities directly to us before any public disclosure
- Give us reasonable time to address the issue
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
When using this plugin:
- Never commit API keys to version control
- Use environment variables for sensitive configuration
- Rotate keys periodically
- Use the minimum required permissions
- Use HTTPS for all communications
- Validate and sanitize all inputs
- Implement rate limiting
- Monitor for suspicious activity
- Encrypt sensitive data at rest
- Use secure transmission protocols
- Follow data retention policies
- Implement proper access controls
Security updates are released as:
- Critical: Within 24-48 hours
- High: Within 7 days
- Medium: Within 30 days
- Low: Next scheduled release
Subscribe to our security mailing list for notifications: https://adverant.ai/security-updates
We thank the following researchers for responsible disclosure:
- Your name could be here!
- Security Issues: security@adverant.ai
- General Support: support@adverant.ai
- PGP Key: Available at https://adverant.ai/.well-known/security.txt