Skip to content

Security: azutoolkit/joobq

Security

Report a vulnerability

SECURITY.md

Security Policy for JoobQ

Welcome to the JoobQ project! Security is a top priority for us. This document outlines our policy for reporting, handling, and addressing security vulnerabilities within the JoobQ project.

Supported Versions

The following versions of JoobQ are currently supported with security updates:

Version Supported
Latest Release
Older Releases ❌ (Contact us for exceptions)

Reporting a Vulnerability

If you discover a security vulnerability, we encourage you to help us responsibly resolve it. Please follow these steps:

  1. Do not disclose publicly: Avoid posting details of the vulnerability in public forums, GitHub issues, or any other public channels.

  2. Report privately: Submit the vulnerability report via email to [email protected] with the following details:

    • A description of the vulnerability and its impact.
    • Steps to reproduce the issue.
    • Suggested fixes (if applicable).
    • Your contact information for further clarification.

  3. Acknowledgment: We will acknowledge receipt of your report within 48 hours and provide a timeline for our response.

  4. Coordination: We may ask for additional details to reproduce or validate the issue. We aim to resolve confirmed vulnerabilities promptly and will coordinate a public disclosure timeline with you.

Response Time Goals

We aim to meet the following response times for security issues:

  • Initial acknowledgment: Within 48 hours of reporting.
  • Issue validation: Within 7 days of acknowledgment.
  • Fix or mitigation release: Within 30 days, depending on complexity.

Security Updates and Releases

When a security fix is released, we will:

  1. Publish an updated release on GitHub.
  2. Include a detailed changelog entry highlighting the fix.
  3. Optionally coordinate with public vulnerability databases (e.g., CVE).

Scope of Security Coverage

We cover the following areas:

  • Code vulnerabilities: Including bugs that allow unauthorized access, privilege escalation, or data corruption.
  • Dependency vulnerabilities: When found in JoobQ dependencies, we will work to update or patch them.

The following are out of scope:

  • Vulnerabilities in downstream applications using JoobQ.
  • Issues arising from misconfigurations or misuse.

Security Best Practices

To enhance security for users of JoobQ:

  • Keep your dependencies up-to-date.
  • Follow secure deployment and configuration practices.
  • Monitor the GitHub Advisory Database for related issues.

Credits and Recognition

We value contributions from the community and will publicly acknowledge individuals or teams who responsibly report vulnerabilities, unless they prefer to remain anonymous.

Thank you for helping keep JoobQ secure!

For questions or additional support, please contact us at [email protected].

Last Updated: December 13, 2024

There aren’t any published security advisories