| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| 0.14.x | |
| < 0.14 | ❌ |
We take the security of FYI Request System seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: security@fyi-cli.example.com
Or use GitHub's private vulnerability reporting feature: https://github.com/yourusername/fyi-cli/security/advisories/new
Please include the following information in your report:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any suggested fixes (if applicable)
- Your contact information for follow-up
You can expect:
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Status update: Within 10 business days
- Resolution timeline: Depends on severity (see below)
| Severity | Response Timeline | Description |
|---|---|---|
| Critical | 24-48 hours | Remote code execution, data breach |
| High | 5 business days | Privilege escalation, authentication bypass |
| Medium | 10 business days | XSS, CSRF, information disclosure |
| Low | 20 business days | Minor security issues |
- Report - Submit your findings via email or GitHub advisory
- Acknowledge - We'll confirm receipt within 48 hours
- Assess - We'll evaluate the vulnerability and determine severity
- Fix - We'll develop and test a fix
- Release - We'll release a patched version
- Disclose - Public disclosure after users have had time to update
- We will notify you when the vulnerability has been fixed
- We may request that you keep the vulnerability confidential until a fix is released
- We will credit you in the security advisory (unless you prefer to remain anonymous)
- We request that you do not disclose the vulnerability publicly before we release a fix
To keep your installation secure:
- Keep updated - Always use the latest version
- Protect API keys - Store API keys securely, never commit to version control
- Use encryption - Enable encryption for sensitive data
- Review permissions - Regularly audit file permissions
- Monitor logs - Check logs for suspicious activity
- Dependency scanning - Automated vulnerability scanning on every commit
- CodeQL analysis - Static analysis for security issues
- Secret scanning - GitHub secret scanning enabled
- Signed commits - Commit signing encouraged
- Branch protection - Main branch protected
- Required reviews - Pull requests require review
For a list of past security advisories, see: https://github.com/yourusername/fyi-cli/security/advisories
- Email: security@fyi-cli.example.com
- GitHub Advisories: https://github.com/yourusername/fyi-cli/security/advisories/new
Thank you for helping keep FYI Request System secure!