Skip to content

Security: Aswincloud/pr-review-checker

Security

SECURITY.md

πŸ›‘οΈ Security Policy

πŸ”’ Supported Versions

We actively maintain security updates for the following versions of PR Approval Finder:

Version Supported Status
6.0.x βœ… Yes Current stable release
5.x.x ⚠️ Limited Support Security fixes only
< 5.0 ❌ No Please upgrade

🚨 Reporting a Vulnerability

πŸ“§ How to Report

If you discover a security vulnerability, please report it responsibly:

πŸ”’ For Security Issues:

⚠️ Please DO NOT:

  • Open a public GitHub issue for security vulnerabilities
  • Discuss the vulnerability publicly until it's been addressed
  • Attempt to exploit the vulnerability

πŸ“‹ What to Include

When reporting a security issue, please include:

  1. πŸ“ Description - Clear description of the vulnerability
  2. πŸ” Steps to Reproduce - Detailed steps to reproduce the issue
  3. πŸ’₯ Impact Assessment - Potential impact and severity
  4. 🌐 Affected Versions - Which versions are affected
  5. πŸ› οΈ Suggested Fix - If you have ideas for a fix (optional)
  6. πŸ“§ Contact Information - Your preferred contact method

⏱️ Response Timeline

We are committed to addressing security issues promptly:

  • πŸ“¨ Initial Response: Within 24 hours
  • πŸ” Assessment: Within 72 hours
  • πŸ› οΈ Fix Development: 1-7 days (depending on severity)
  • πŸš€ Release: As soon as possible after fix completion
  • πŸ“’ Public Disclosure: After fix is deployed and users have time to update

πŸ” Security Best Practices

For Users

When using PR Approval Finder:

  • πŸ”‘ GitHub Tokens: Use tokens with minimal required permissions
  • πŸ”’ Private Repos: Only use trusted instances for private repository analysis
  • πŸ•’ Token Rotation: Regularly rotate your GitHub tokens
  • πŸ“± HTTPS Only: Always access the application over HTTPS
  • πŸ–₯️ Browser Security: Keep your browser updated with latest security patches

For Contributors

When contributing to the project:

  • πŸ§ͺ Security Testing: Test for common vulnerabilities (XSS, CSRF, etc.)
  • πŸ” Code Review: All changes undergo security-focused code review
  • πŸ“¦ Dependencies: Keep dependencies updated and audit for vulnerabilities
  • πŸ” Secrets: Never commit API keys, tokens, or other secrets
  • πŸ›‘οΈ Input Validation: Validate and sanitize all user inputs

πŸ›‘οΈ Security Measures

Application Security

  • πŸ”’ HTTPS Enforcement: All communication encrypted in transit
  • 🚫 No Server Storage: GitHub tokens never stored on servers
  • 🌐 CORS Protection: Proper Cross-Origin Resource Sharing configuration
  • πŸ” CSP Headers: Content Security Policy implemented
  • πŸ›‘οΈ Security Headers: X-Frame-Options, X-Content-Type-Options, etc.

Infrastructure Security

  • ☁️ Vercel Security: Hosted on security-audited platform
  • πŸ”’ API Rate Limiting: GitHub API rate limiting respected and managed
  • πŸ“Š Monitoring: Security monitoring and alerting in place
  • πŸ”„ Regular Updates: Dependencies and runtime regularly updated

🚨 Known Security Considerations

GitHub Token Handling

  • ⚠️ Client-Side Storage: Tokens stored in browser memory only
  • πŸ•’ Session-Only: Tokens not persisted between browser sessions
  • πŸ” Minimal Permissions: Use tokens with only required scopes
  • πŸ“ Audit Trail: All API calls logged (without exposing tokens)

Rate Limiting

  • ⏱️ API Limits: Respect GitHub's API rate limits
  • πŸ”„ Retry Logic: Intelligent retry mechanism to prevent abuse
  • πŸ“Š Monitoring: Track and display rate limit status to users

🀝 Security Contact

For non-urgent security questions or suggestions:

πŸ† Security Hall of Fame

We recognize responsible security researchers who help improve our security:

No security issues have been reported yet. Be the first responsible researcher!

πŸ“‹ Security Checklist

For security-conscious users and organizations:

βœ… Deployment Checklist

  • Using HTTPS-only deployment
  • GitHub tokens have minimal required permissions
  • Regular security updates applied
  • Monitoring and alerting configured
  • Backup and recovery procedures tested

βœ… Usage Checklist

  • GitHub tokens rotated regularly
  • Access logs reviewed periodically
  • Team members trained on security best practices
  • Incident response plan in place

πŸ“š Additional Resources


Thank you for helping keep PR Approval Finder secure! πŸ™

There aren't any published security advisories