The Cometbid Technology Foundation takes the security of our software products and services seriously. If you believe you have found a security vulnerability in any of our repositories, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
- Primary: security@cometbid.tech
- Secondary: security-team@cometbid.tech
Please include the following information:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Within 24 hours: Acknowledgment of your report
- Within 72 hours: Initial assessment and response
- Within 7 days: Expected timeline for patch
- Within 30 days: Security advisory publication (if applicable)
- Security patches are prepared privately
- Security advisories are drafted
- Patches are reviewed and tested
- Updates are pushed to all maintained versions
- Public notification and advisory publication
We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ✅ |
| < 1.0 | ❌ |
Our security advisories are published through:
- GitHub Security Advisories
- Our security mailing list
- Our blog (for high-severity issues)
-
Keep Dependencies Updated
- Regularly update your dependencies
- Monitor security advisories
- Use dependency scanning tools
-
Code Security
- Follow secure coding guidelines
- Implement input validation
- Use prepared statements for database queries
- Implement proper authentication and authorization
-
Configuration Security
- Use environment variables for sensitive data
- Implement proper access controls
- Enable security headers
- Use HTTPS
security:
# Security headers
headers:
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: "1; mode=block"
# CORS configuration
cors:
allowed_origins:
- https://cometbid.tech
allowed_methods:
- GET
- POST
- PUT
- DELETEPublic Keys
Our public key for secure communications can be found at: https://keys.cometbid.tech/security-team.pub
Additional Resources
- Security Guidelines
- Security Best Practices
- Incident Response Plan
This security policy is adapted from the GitHub Security Policy.