We release patches for security vulnerabilities in the following versions:

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT open a public GitHub issue for security vulnerabilities
2. Email security concerns to the maintainers (see CODEOWNERS or repository owner)
3. Include the following in your report:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: We will acknowledge receipt within 48 hours
• Assessment: We will assess the vulnerability and determine its severity within 7 days
• Resolution: We aim to release a fix within 30 days for critical vulnerabilities
• Disclosure: We will coordinate with you on public disclosure timing

The following are in scope for security reports:

• Graphite library code (graphite-core, graphite-codegen, etc.)
• Build plugins (graphite-gradle-plugin, graphite-maven-plugin)
• Spring Boot auto-configuration (graphite-spring-boot-starter)

The following are out of scope:

• Vulnerabilities in dependencies (report to the respective projects)
• Issues in example code or documentation

When using Graphite in your application, follow these security recommendations:

# application.yml
graphite:
  client:
    # Always use HTTPS in production
    endpoint: https://api.example.com/graphql

    # Set reasonable timeouts to prevent resource exhaustion
    timeout:
      connect: 5s
      read: 30s
      request: 60s

    # Configure retry limits to prevent infinite loops
    retry:
      max-attempts: 3

• Never log request/response bodies containing sensitive data in production
• Use environment variables or secrets management for API keys and tokens
• Configure headers securely:

GraphiteClient client = GraphiteClient.builder()
    .endpoint("https://api.example.com/graphql")
    .header("Authorization", "Bearer " + System.getenv("API_TOKEN"))
    .build();

• Always validate user input before including in GraphQL variables
• Use parameterized queries (which Graphite enforces by design)
• Validate responses before processing

• Use TLS 1.2 or higher for all connections
• Consider certificate pinning for sensitive applications
• Use network policies to restrict outbound connections

The code generation requires a GraphQL introspection query result (schema.json). This file may contain sensitive information about your API schema. Store it securely and do not commit production schemas to public repositories.

Generated code is safe by design and does not include:

• Reflection-based serialization
• Dynamic class loading
• Execution of arbitrary code

We use the following tools to maintain dependency security:

• OWASP Dependency-Check: Scans for known vulnerabilities in dependencies
• Dependabot: Automated dependency updates
• SonarCloud: Static analysis for security issues

To run a security scan locally:

./gradlew dependencyCheckAnalyze

Security updates are released as patch versions (e.g., 0.1.1, 0.1.2). Subscribe to GitHub releases to be notified of security updates.