The Design Patterns Examples project takes security seriously. We appreciate your efforts to responsibly disclose any security vulnerabilities you find.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by:

1. Email: Send details to the project maintainers (if you have repository access, check for maintainer contact information)
2. GitHub Security Advisories: Use GitHub's private vulnerability reporting feature at:
   • Navigate to the repository's "Security" tab
   • Click "Report a vulnerability"
   • Fill out the vulnerability report form

Please include as much of the following information as possible:

• Type of vulnerability (e.g., code injection, cross-site scripting, etc.)
• Affected pattern(s) and language implementation(s)
• Step-by-step instructions to reproduce the issue
• Proof of concept or exploit code (if applicable)
• Impact assessment: What could an attacker potentially do?
• Suggested fix (if you have one)
• Your contact information for follow-up questions

After you submit a vulnerability report:

1. Acknowledgment: We will acknowledge receipt of your report within 48-72 hours
2. Assessment: We will investigate and assess the vulnerability
3. Updates: We will keep you informed of our progress
4. Resolution: We will work on a fix and coordinate disclosure timing with you
5. Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)

1. Vulnerability is reported and confirmed
2. A fix is developed in a private repository or branch
3. The fix is tested across affected language implementations
4. A security advisory is prepared
5. The fix is released and the advisory is published
6. The vulnerability is disclosed publicly after users have had time to update

This project is primarily educational. While we don't maintain formal version releases with long-term support, we will:

• Address security vulnerabilities in the current main/master branch
• Update all language implementations when a security issue is pattern-specific
• Notify users through GitHub Security Advisories

When contributing to this project:

1. Input Validation: Even in educational examples, demonstrate proper input validation
2. Avoid Hardcoded Secrets: Never include API keys, passwords, or tokens in examples
3. Dependency Security: Keep language-specific dependencies up to date
4. Safe Defaults: Use secure coding practices in all implementations

• Regularly check for dependency vulnerabilities
• Use minimal dependencies in educational examples
• Document any security considerations in pattern READMEs

• Don't include sensitive information in documentation
• Be careful with example data and credentials
• Review external links for safety

This repository contains educational code examples designed to teach design patterns. These examples:

• May prioritize clarity over production-ready security features
• Should NOT be used directly in production environments without proper security review
• Focus on demonstrating patterns rather than comprehensive security implementations

When adapting these examples for production use, consider:

• Go: Proper error handling, race condition prevention, secure random number generation
• TypeScript/JavaScript: XSS prevention, prototype pollution, dependency vulnerabilities
• Java: Input validation, serialization security, SQL injection prevention
• PHP: SQL injection, XSS, CSRF, file upload security
• React/Angular: XSS prevention, dependency security, secure state management

When reviewing pattern implementations for security:

• No hardcoded credentials or sensitive data
• Proper input validation demonstrated (where applicable)
• No vulnerable dependencies
• Secure defaults in configuration examples
• SQL injection prevention (for database examples)
• XSS prevention (for web framework examples)
• Proper error handling without information leakage
• Thread-safety considerations documented (for concurrent patterns)

• OWASP Top Ten
• CWE/SANS Top 25
• Language-specific security guides:
  • Go Security
  • PHP Security Guide
  • Java Security Documentation
  • Node.js Security Best Practices

For security-related questions that are not vulnerabilities:

• Open a discussion in the GitHub Discussions section
• Check existing security-related issues
• Refer to CONTRIBUTING.md for general contribution guidelines

We appreciate the security research community's efforts to keep this educational project safe and secure. Your responsible disclosure helps us maintain a trustworthy learning resource.

Last Updated: January 2026