We take security seriously. This document explains how to report vulnerabilities and what to expect from us.
Only the latest minor of each package receives security updates.
| Package | Supported |
|---|---|
@firik-ui/core |
Latest minor |
@firik-ui/ui |
Latest minor |
@firik-ui/ui-pro |
Latest minor |
@firik-ui/eslint-plugin |
Latest minor |
Do not open a public issue for security problems.
- Email: security@firik.dev
- PGP fingerprint: published at https://fehmicitiloglu.github.io/firik//.well-known/security.txt
- GitHub Security Advisories: use "Report a vulnerability" on the Firik repo (private to maintainers).
Please include:
- Affected package(s) and version(s).
- Reproduction steps or proof-of-concept.
- Impact assessment (XSS? RCE? data exposure? CSRF?).
- Whether the issue is public, embargoed, or under active exploitation.
| Severity (CVSS) | Acknowledge | Fix in main | Public release |
|---|---|---|---|
| Critical (≥9.0) | 24h | 72h | 7d |
| High (7–8.9) | 48h | 7d | 14d |
| Medium (4–6.9) | 5 business days | 30d | next minor |
| Low (<4) | best effort | next minor | next minor |
We follow a 90-day coordinated-disclosure window by default. Earlier or later disclosure is possible by mutual agreement and is mandatory if the vulnerability is being actively exploited.
In scope:
- The published packages on npm and GitHub Packages.
- The license-key verification path in
@firik-ui/ui-pro. - Build and release tooling that produces the published artifacts.
Out of scope:
- Vulnerabilities in user applications using Firik (please report to the vendor).
- Vulnerabilities requiring privileged local access to a developer's machine.
- Issues only reachable by disabling the lint rules in
@firik-ui/eslint-plugin.
Researchers who responsibly disclose are credited (with permission) in CHANGELOG.md and on https://fehmicitiloglu.github.io/firik//security.