Skip to content

Create SECURITY.md #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Kyonax merged 1 commit into from
Nov 14, 2025
Merged

Create SECURITY.md #2

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# Security Policy — @kyonax/org2html

## Supported Versions

These versions of **@kyonax/org2html** currently receive security patches and updates.

| Version | Supported |
|--------|-----------|
| 1.x.x | ✔️ Active (current major) |
| 0.x.x | ❌ Unsupported |

**Note:**
Using semantic versioning means only the latest minor/patch versions within an active major release are guaranteed to receive fixes.

---

## Reporting a Vulnerability

We take the security of this project seriously.
If you discover a security issue, please follow this responsible disclosure process.

### 1. Contact Method

Please report vulnerabilities privately via email:

**📧 kyonax.corp@gmail.com**

Do **not** create public GitHub issues for vulnerabilities.
All security reports must remain private until a fix is available.

---

### 2. What to Include in a Report

To help us investigate efficiently, please include:

- A clear and concise description of the vulnerability
- Steps to reproduce the issue
- Your environment details (Node version, OS, CLI version)
- The potential impact (e.g., data exposure, code execution)
- A minimal reproducible example (if possible)

---

### 3. Response Time Expectations

We aim to handle security reports promptly:

| Stage | Expected Time |
|-------|---------------|
| Acknowledgement | **48–72 hours** |
| Initial investigation | **3–7 days** |
| Fix development | **Varies by severity** |
| Release of security advisory | With the patch |

You will receive updates throughout the entire process.

---

### 4. Disclosure Policy

- Confirmed vulnerabilities will be fixed privately.
- A public **security advisory** will be published after the patch is released.
- Reporters may be credited for their discovery (optional).

---

## License & Security Expectations (LGPL v3)

Since this project is licensed under **LGPL v3**, users and contributors are expected to:

- Keep modifications to the library open-source
- Distribute security fixes under LGPL-compatible terms
- Avoid removing or bypassing safety or sandboxing mechanisms
- Inform maintainers about any discovered vulnerabilities whenever possible

This ensures the project remains safe and reliable for the entire community.

---

## Thank You

Thank you for helping improve the security and stability of **@kyonax/org2html**.
Your contributions make the ecosystem safer for everyone.