We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
-
GitHub Security Advisories: Use the GitHub Security Advisory to report vulnerabilities privately.
-
Email: Contact us at alex (you can find the email associated with the GitHub account @anchapin).
When reporting a security vulnerability, please include:
- Type of vulnerability (e.g., XSS, SQL injection, etc.)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment of the vulnerability
Once we receive a security vulnerability report:
-
Acknowledgment: We will acknowledge receipt of your report within 48 hours.
-
Initial Assessment: We will conduct an initial assessment to determine the severity and validity of the vulnerability.
-
Regular Updates: We will provide updates on the progress of addressing the vulnerability every 7 days.
-
Resolution: We will work on a fix and test the solution.
-
Public Disclosure: Once the vulnerability has been addressed, we will publicly disclose the details in the release notes.
We currently support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
When contributing to portkit, please follow these security best practices:
- Never commit sensitive information (API keys, passwords, tokens) to the repository
- Use environment variables for configuration secrets
- Follow the principle of least privilege
- Keep dependencies up to date
- Run security checks before submitting PRs
For deployment security configurations, see:
We appreciate the efforts of security researchers and contributors who help us keep portkit secure. With your permission, we will acknowledge your contribution in the security advisory.