This project is currently in active development. Security updates are provided for the following versions:

We take the security of PICKL seriously. If you discover a security vulnerability, please follow these steps:

Please do not create a public GitHub issue for security vulnerabilities. This could put other users at risk.

Report security vulnerabilities by emailing the maintainer directly or using GitHub's private vulnerability reporting feature:

• Email: Create a security advisory on GitHub
• GitHub Security Advisories: Navigate to the Security tab → Advisories → New draft security advisory

When reporting a vulnerability, please include:

• Description: A clear description of the vulnerability
• Impact: What could an attacker accomplish?
• Reproduction Steps: Detailed steps to reproduce the issue
• Affected Versions: Which versions are affected?
• Suggested Fix: If you have a solution, please share it

• Initial Response: Within 48 hours of report submission
• Status Update: Within 7 days with assessment and planned actions
• Fix Timeline: Varies based on severity (Critical: 7 days, High: 14 days, Medium: 30 days, Low: 60 days)

This project implements the following security measures:

• CodeQL Analysis: Automated code security scanning runs weekly (Mondays at 00:00 UTC)
• npm Audit: Dependency vulnerability scanning on every push and pull request
• Dependabot: Automated security updates for dependencies and GitHub Actions (weekly checks)

• Branch Protection: Direct commits to main branch are blocked
• Pre-commit Hooks: Automated linting and formatting before commits
• Commit Message Validation: Conventional commits enforced
• Code Review: All changes require pull request review

• Regular Updates: Dependencies reviewed and updated weekly via Dependabot
• Audit Threshold: CI fails on high or critical vulnerabilities
• License Compliance: All dependencies must use compatible licenses

When a security vulnerability is confirmed:

1. Assessment: Evaluate severity using CVSS scoring
2. Fix Development: Develop and test fix in private branch
3. Advisory: Create GitHub Security Advisory
4. Release: Deploy fix and publish advisory
5. Notification: Notify users through GitHub release notes

• Dependencies: Minimize external dependencies
• Input Validation: Always validate and sanitize user input
• Secrets Management: Never commit credentials, API keys, or tokens (see Secrets Management Guide)
• Error Handling: Avoid exposing sensitive information in error messages
• Testing: Include security test cases for new features

For comprehensive guidance on managing secrets and environment variables, see:

• Secrets Management Guide - Best practices for handling sensitive data
• .env.example - Template for environment variables
• .gitignore - Ensure sensitive files are excluded from version control

This security policy applies to:

• In Scope:

  • Core PICKL application code
  • Dependencies declared in package.json
  • GitHub Actions workflows
  • Documentation that could lead to security issues

• Out of Scope:

  • Third-party services (e.g., https://the-internet.herokuapp.com)
  • Local development environment configurations
  • Issues that require physical access to a user's machine

We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities (with permission):

• Acknowledgment in release notes
• Credit in SECURITY.md (if desired)
• Recognition in project README

If you have questions about this security policy, please open a discussion in the GitHub Discussions section.

Last Updated: December 17, 2025 Version: 1.1