This document sets out the security policy and procedures for the SimpleJWT project.
SimpleJWT uses semantic versioning as its version numbering scheme. The meanings of major version, minor version, patch version and initial development follows the Semantic Versioning Specification.
Security patches will be provided for the following:
- In the initial development phase (i.e. when the latest major version is version 0), only the latest patch version is supported
- Once major version 1 is released, patches will be provided to the two most recent major versions.
If you discover a vulnerability in SimpleJWT, keep it confidential. Do not disclose the vulnerability to anyone before the advisory is issued.
Provide details of the vulnerability at the GitHub Security Advisories page. For further information, please see the GitHub documentation.
At a minimum, your report should include:
- the version of SimpleJWT, and your hosting environment
- the steps required to reproduce the problem
- any other information which you think would be useful in diagnosing the problem
If you know how to fix the problem or a temporary workaround, include it in the report.
We will acknowledge your report as soon as we can. We will use reasonable endeavours to keep you informed while we investigate and create a fix. We may ask you for additional information or guidance as part of our investigation.
Some issue take time to correct and the process may involve a review of the code for similar problems.
When a fix is ready, an advisory urging users to upgrade is published. If the vulnerability is discovered for the first time, you will be credited in the advisory.
Report security bugs in third-party modules to the person or team maintaining the module.
If you have suggestions on how this process could be improved please submit a pull request.