We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 2.x | ✅ |
| 1.x | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
- GitHub Security Advisories: Use the "Report a vulnerability" button in the Security tab of this repository
- GitHub Issues: For non-sensitive security issues, open an issue at https://github.com/santosr2/techbadges/issues
Please include as much of the following information as possible:
- Type of vulnerability (e.g., XSS, injection, denial of service)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability
- Initial Response: Within 48 hours
- Status Update: Within 1 week
- Resolution: Typically within 2-4 weeks, depending on complexity
- We will acknowledge receipt of your vulnerability report
- We will investigate and validate the reported issue
- We will work on a fix and coordinate disclosure timing with you
- We will publicly acknowledge your responsible disclosure (unless you prefer anonymity)
When contributing to this project, please:
- Never commit secrets, API keys, or credentials
- Validate and sanitize all user input
- Use parameterized queries if adding database functionality
- Follow the principle of least privilege
- Keep dependencies up to date
This security policy applies to:
- The main TechBadges service
- Official deployment configurations
- Build and deployment scripts
This policy does not cover:
- Third-party forks or deployments
- Issues in dependencies (report those to the respective projects)
- Social engineering attacks
Thank you for helping keep TechBadges and its users safe!