Do not open a public GitHub issue for security vulnerabilities.
Email: security@yourorg.com
Please include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested fix (optional)
Expected response time: Acknowledgment within 48 hours. Resolution timeline communicated within 7 days. Critical issues targeted for patch within 14 days.
In scope:
- Lambda handler business logic (authentication flow, authorisation checks, input validation)
- CDK construct IAM policies (overly permissive roles or resource scopes)
- Dependency vulnerabilities in
lambdas/package.jsonor rootpackage.json
Out of scope:
- Vulnerabilities in AWS-managed services (report to AWS directly)
- Issues in your own deployment configuration
- Theoretical attacks with no practical exploit path
Only the latest published npm version receives security fixes. Pinning to old versions is not supported.