We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:

Please report (suspected) security vulnerabilities to [security@example.com] (replace with your email or security contact). You will receive a response within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

1. Do not open a public GitHub issue for security vulnerabilities
2. Email the security team with:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Type of vulnerability (e.g., XSS, CSRF, SQL injection)
• Full paths of source file(s) related to the vulnerability
• Location of the affected code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

• Keep StreamTV updated to the latest version
• Use strong authentication when available
• Run StreamTV behind a firewall when possible
• Review and restrict API access
• Use HTTPS when exposing StreamTV to the internet
• Regularly review logs for suspicious activity

• Follow secure coding practices
• Review dependencies for known vulnerabilities
• Use parameterized queries (SQLAlchemy handles this)
• Validate and sanitize all user input
• Keep dependencies updated
• Review authentication and authorization logic

Security updates will be:

• Released as patch versions (e.g., 1.0.1, 1.0.2)
• Documented in CHANGELOG.md
• Announced in GitHub releases
• Backported to supported versions

• OAuth tokens are stored securely
• Passkeys use WebAuthn standards
• API tokens should be kept secret

• StreamTV listens on localhost by default
• Exposing to the internet requires proper security measures
• Use reverse proxy with SSL/TLS for production

• Regular dependency updates are recommended
• Known vulnerabilities are addressed promptly

When we receive a security bug report, we will:

1. Confirm the issue and determine affected versions
2. Audit code to find any potential similar problems
3. Prepare fixes for all releases still under support
4. Publish a security advisory and release patches

We credit security researchers who responsibly disclose vulnerabilities.

For security concerns, please contact: [security@example.com]

(Replace with your actual security contact email)