We actively maintain security updates for the following versions of PR Approval Finder:
| Version | Supported | Status |
|---|---|---|
| 6.0.x | β Yes | Current stable release |
| 5.x.x | Security fixes only | |
| < 5.0 | β No | Please upgrade |
If you discover a security vulnerability, please report it responsibly:
π For Security Issues:
- Email: security@example.com
- Subject:
[SECURITY] PR Approval Finder - Brief Description
- Open a public GitHub issue for security vulnerabilities
- Discuss the vulnerability publicly until it's been addressed
- Attempt to exploit the vulnerability
When reporting a security issue, please include:
- π Description - Clear description of the vulnerability
- π Steps to Reproduce - Detailed steps to reproduce the issue
- π₯ Impact Assessment - Potential impact and severity
- π Affected Versions - Which versions are affected
- π οΈ Suggested Fix - If you have ideas for a fix (optional)
- π§ Contact Information - Your preferred contact method
We are committed to addressing security issues promptly:
- π¨ Initial Response: Within 24 hours
- π Assessment: Within 72 hours
- π οΈ Fix Development: 1-7 days (depending on severity)
- π Release: As soon as possible after fix completion
- π’ Public Disclosure: After fix is deployed and users have time to update
When using PR Approval Finder:
- π GitHub Tokens: Use tokens with minimal required permissions
- π Private Repos: Only use trusted instances for private repository analysis
- π Token Rotation: Regularly rotate your GitHub tokens
- π± HTTPS Only: Always access the application over HTTPS
- π₯οΈ Browser Security: Keep your browser updated with latest security patches
When contributing to the project:
- π§ͺ Security Testing: Test for common vulnerabilities (XSS, CSRF, etc.)
- π Code Review: All changes undergo security-focused code review
- π¦ Dependencies: Keep dependencies updated and audit for vulnerabilities
- π Secrets: Never commit API keys, tokens, or other secrets
- π‘οΈ Input Validation: Validate and sanitize all user inputs
- π HTTPS Enforcement: All communication encrypted in transit
- π« No Server Storage: GitHub tokens never stored on servers
- π CORS Protection: Proper Cross-Origin Resource Sharing configuration
- π CSP Headers: Content Security Policy implemented
- π‘οΈ Security Headers: X-Frame-Options, X-Content-Type-Options, etc.
- βοΈ Vercel Security: Hosted on security-audited platform
- π API Rate Limiting: GitHub API rate limiting respected and managed
- π Monitoring: Security monitoring and alerting in place
- π Regular Updates: Dependencies and runtime regularly updated
β οΈ Client-Side Storage: Tokens stored in browser memory only- π Session-Only: Tokens not persisted between browser sessions
- π Minimal Permissions: Use tokens with only required scopes
- π Audit Trail: All API calls logged (without exposing tokens)
- β±οΈ API Limits: Respect GitHub's API rate limits
- π Retry Logic: Intelligent retry mechanism to prevent abuse
- π Monitoring: Track and display rate limit status to users
For non-urgent security questions or suggestions:
- π§ Email: security@example.com
- π¬ Discussion: GitHub Discussions (for general security topics)
- π Documentation: Check our Security Documentation
We recognize responsible security researchers who help improve our security:
No security issues have been reported yet. Be the first responsible researcher!
For security-conscious users and organizations:
- Using HTTPS-only deployment
- GitHub tokens have minimal required permissions
- Regular security updates applied
- Monitoring and alerting configured
- Backup and recovery procedures tested
- GitHub tokens rotated regularly
- Access logs reviewed periodically
- Team members trained on security best practices
- Incident response plan in place
Thank you for helping keep PR Approval Finder secure! π