We follow Semantic Versioning (SEMVER). Security updates are provided for the following versions:
| Version | Supported | Notes |
|---|---|---|
| 0.x.x | β | Development phase - all versions receive security updates |
| < 0.0.1 | β | Not yet released |
Note: Once we reach 1.0.0 (stable release), we will support:
- The latest major version (e.g., 2.x.x)
- The previous major version for 6 months after new major release
- Critical security patches may be backported to older versions on a case-by-case basis
π DO NOT open public issues for security vulnerabilities!
We take security seriously. If you discover a security vulnerability, please report it responsibly:
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Fill out the advisory form with:
- Vulnerability description
- Affected versions
- Steps to reproduce
- Potential impact
- Suggested fix (if known)
Benefits:
- Private communication channel
- Coordinated disclosure timeline
- CVE assignment (if applicable)
- Credit in security advisory
If you cannot use GitHub Security Advisories, contact us at:
π security@secpal.app (PGP key available on request)
Please include:
- Brief description of the vulnerability
- Steps to reproduce
- Affected components/versions
- Your contact information (for follow-up)
We are committed to responding quickly to security reports:
| Severity | Initial Response | Fix Target | Disclosure |
|---|---|---|---|
| Critical | 24 hours | 7 days | After fix |
| High | 48 hours | 14 days | After fix |
| Medium | 72 hours | 30 days | After fix |
| Low | 7 days | 60 days | After fix |
Severity Definitions:
- Critical: Remote code execution, authentication bypass, SQL injection
- High: Privilege escalation, unauthorized data access, XSS with sensitive data exposure
- Medium: Information disclosure, CSRF, moderate data leaks
- Low: Minor information leaks, low-impact bugs
When a vulnerability is confirmed:
- Acknowledgment: We confirm receipt and severity assessment
- Investigation: We reproduce and analyze the vulnerability
- Fix Development: We develop and test a patch
- Coordinated Disclosure:
- Security advisory created (private)
- Fix released as patch version (e.g., 0.3.1 β 0.3.2)
- Security advisory published (public)
- CVE assigned (if applicable)
- Communication:
- GitHub Security Advisory
- Release notes
- Dependabot alerts (for downstream users)
When contributing to SecPal, follow these security guidelines:
- No hardcoded secrets (API keys, passwords, tokens)
- Input validation on all user inputs
- SQL queries use parameterized statements (no string concatenation)
- Authentication/Authorization checks in place
- Sensitive data encrypted at rest and in transit
- Error messages don't leak sensitive information
- Dependencies scanned for known vulnerabilities
- HTTPS/TLS enforced for all network communication
All PRs automatically run:
- Secret Scanning: GitHub Secret Scanning with push protection
- Dependency Scanning: Dependabot security updates
- SAST: CodeQL (JavaScript/TypeScript only)
- Static Validation: ESLint, TypeScript, Vitest, and native Android wrapper checks
-
Never commit secrets:
- Use environment variables (
.env) - Utilize secret management services
- Enable push protection (automatically enabled)
- Use environment variables (
-
Keep dependencies updated:
- Dependabot creates PRs daily (04:00 CET)
- Security updates have priority
- Review and merge promptly
-
Follow OWASP Top 10:
- OWASP Top Ten
- Regular security training encouraged
-
Validate all inputs:
- Server-side validation (never trust client)
- Sanitize outputs to prevent XSS
- Use framework's built-in protection (Laravel, React)
-
Least Privilege Principle:
- Minimal permissions for services
- Role-based access control (RBAC)
- Regular permission audits
SecPal repositories have the following security features enabled:
| Feature | Status | Description |
|---|---|---|
| Secret Scanning | β | Detects leaked credentials |
| Push Protection | β | Blocks commits with secrets |
| Dependabot Security Updates | β | Automated security patches |
| Dependabot Version Updates | β | Daily dependency updates (04:00 CET) |
| CodeQL Analysis | β | SAST for JavaScript/TypeScript |
| Branch Protection | β | main is protected with required checks, linear history, signed commits, and conversation resolution |
| Security Advisories | β | Private vulnerability reporting |
| Two-Factor Authentication | β | Required for all maintainers |
We compensate with:
- Android Lint/Gradle validation as native code is introduced
- Manual security reviews for native Android code
- Bridge-boundary tests for Capacitor/native integrations
- Currently: No rate limiting implemented
- Planned: Rate limiting for public APIs (v0.5.0)
- Mitigation: Monitor for unusual traffic patterns
- Currently: Permissive CORS for development
- Planned: Strict CORS policy for production (v0.3.0)
Planned security enhancements:
- v0.3.0: Production-ready CORS configuration
- v0.5.0: API rate limiting
- v0.7.0: Comprehensive audit logging
- v0.9.0: Penetration testing
- v1.0.0: Security certification (OWASP ASVS Level 2)
We appreciate responsible disclosure! Security researchers who report valid vulnerabilities will be credited here (with permission):
No vulnerabilities reported yet.
- Security Issues: Use GitHub Security Advisories or security@secpal.app
- General Questions: Open a Discussion in the repository
- Non-Security Bugs: Open an Issue using our bug report template
Last Updated: 2025-10-25