Currently supported versions of Polypore with security updates:
| Version | Supported |
|---|
(no version released yet)
We take the security of Polypore seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- DO NOT create a public GitHub issue for the vulnerability.
- Send a detailed report to sporolyum@gmail.com including:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fixes (if any)
- Your contact information for follow-up
- Initial Response: You will receive an acknowledgment within 48 hours.
- Status Updates:
- We will provide status updates every 72 hours
- A full assessment will be provided within 7 days
Our project implements several security measures:
- Keycloak authentication/authorization
- Environment variable protection
- PostgreSQL security best practices
- Docker container isolation
- AGPL v3 license compliance requirements
The following are in scope for security reports:
- Backend API endpoints (
/app/backend) - Frontend security concerns (
/app/front)
- Issues in dependencies (report to their respective projects)
- Issues in development environment
- Issues that require physical access
- Social engineering attacks
- We follow responsible disclosure principles
- Public disclosure timing will be coordinated with the reporter
- Reporters will be credited (unless they prefer to remain anonymous)
- Fixes will be released as security patches
Security patches will be released as:
- Immediate patches for critical vulnerabilities
- Regular updates for non-critical issues
- Version updates in the changelog
For sensitive security issues:
- Email: sporolyum@gmail.com
- Response Time: Within 48 hours
For general security questions:
- GitHub Issues (non-vulnerability related)
- Project Documentation