| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Do not file public issues for security vulnerabilities.
Email: serhan@swb.sh
Include:
- Description of the vulnerability
- Impact assessment
- Steps to reproduce
- Affected versions
- Suggested fix (if any)
- 24 hours: Acknowledgment
- 7 days: Initial assessment
- 30 days: Fix and release
- API key sanitization in logs
- Environment variable validation
- Secure file permission checks
- File size and content limits
- URL and package name validation
- Regex pattern safety
- HTTPS enforcement
- Request timeouts and retries
- Rate limiting protection
- No sensitive data in error messages
- Graceful failure handling
- Secure exception logging
We will:
- Confirm and assess the vulnerability
- Develop a fix
- Test thoroughly
- Release fix with advisory
- Credit the reporter (if desired)
This policy may be updated. Check this repository for the latest version.
Note: This project is designed to improve security by detecting AI-generated dependency confusion vulnerabilities. If you believe you've found a case where dep-hallucinator fails to detect a legitimate security threat, please also report this using the same process.