We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 0.13.x | ✅ |
| 0.12.x | ✅ |
| 0.11.x | ❌ |
| < 0.11 | ❌ |
We strongly recommend using the latest version to benefit from security updates.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
Please include as much of the following information as possible:
- Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability - what can an attacker do?
- Suggested fix (if you have one)
After you submit a report, you should expect:
- Acknowledgment within 48 hours confirming we received your report
- Initial assessment within 5 business days about severity and next steps
- Regular updates on our progress (at least every 2 weeks)
- Credit in the security advisory (unless you prefer to remain anonymous)
We follow coordinated disclosure:
- We work with you to understand and validate the vulnerability
- We develop and test a fix
- We prepare a security advisory
- We release the fix and publish the advisory
- You may publish your own advisory after our fix is released
Typical timeline: 90 days from report to public disclosure
When we release a security update:
- Security advisory published on GitHub
- CVE assigned (if applicable)
- Patch release with security fix
- Release notes clearly mark security fixes
- npm advisory if the vulnerability is in dependencies
Token Security:
- Never commit GitHub tokens to your repository
- Use GitHub Secrets for tokens in Actions workflows
- Rotate tokens periodically
- Use fine-grained Personal Access Tokens when possible
Notification Security:
- Use environment variables (
env:VAR_NAME) for webhook URLs - Never commit notification credentials
- Validate webhook payloads when possible
- Use secure SMTP connections (TLS/SSL)
Content Security:
- Markdown in incidents is sanitized with DOMPurify
- User-provided content is escaped to prevent XSS
- No
eval()or unsafe JavaScript execution
Code Review:
- All PRs require review before merge
- Security-sensitive changes get extra scrutiny
- Automated security scanning via GitHub Advanced Security
Dependencies:
- Dependabot enabled for automated security updates
- Regular
npm auditchecks in CI - Pin dependencies to specific versions
Testing:
- Never use real API tokens in tests
- Mock all external services
- Test input validation and sanitization
Using a GitHub token in client-side code exposes it to users. Never pass your token to the browser.
Safe:
// Server-side (Node.js, GitHub Actions)
const token = process.env.GITHUB_TOKEN;Unsafe:
// ❌ Client-side JavaScript
const token = "ghp_xxx"; // NEVER DO THISStentorosaur handles this correctly:
- Token used only during build (server-side)
- Generated JSON is public (no tokens)
- Client-side components never see tokens
User-provided markdown in GitHub issues is rendered on the status page.
Protection:
- All markdown is sanitized with DOMPurify
- XSS attacks are prevented
- Malicious HTML is stripped
- Safe subset of HTML allowed
We use:
- Dependabot for automated dependency updates
- npm audit in CI pipeline
- Snyk scanning (optional)
- Regular manual reviews of dependencies
Workflow security:
- Minimal permissions (
contents: write,issues: writeonly when needed) - No third-party actions without review
- Secrets never logged or exposed
- Workflow approval required for PRs from forks
We thank the following people for responsibly disclosing security issues:
None reported yet - be the first!
For security issues: security@amiable.dev
For general support: See SUPPORT.md