SubTrackr is committed to maintaining a secure environment for tracking subscriptions. This document outlines our security practices, vulnerability reporting process, and patching workflow.
If you've found a security vulnerability, please do NOT create a public issue. Instead, report it via one of the following methods:
- GitHub Security Advisory: Use the "Report a security vulnerability" button in the Security tab of the repository.
- Email: security@subtrackr.example.com (Placeholder)
We follow the CVSS standard to categorize vulnerabilities:
| Severity | Description | Target Response |
|---|---|---|
| Critical | Remote code execution, full database access, etc. | Within 24 hours |
| High | Significant data exposure, bypass of security controls. | Within 72 hours |
| Moderate | Potential for misuse, limited data exposure. | Next scheduled release |
| Low | Minimal impact, hard to exploit. | Best effort |
The repository is monitored using several automated tools:
- GitHub Dependabot: Scans dependencies daily for known vulnerabilities (CVEs).
- NPM Audit: Integrated into CI/CD to prevent merging code with high-risk dependencies.
- Audit-CI: Enforces strict policy-based audits during the build process.
- Notification: Dependabot or CI alert triggers a notification.
- Triage: Maintainers assess the impact and severity.
- Draft: A fix is drafted in a private security fork or branch.
- Validation: CI runs security scans against the proposed fix.
- Release: The fix is merged and a new version is released immediately for Critical/High issues.
- Disclosure: A security advisory is published if necessary.
- Never commit secrets, API keys, or private tokens.
- Use environment variables for sensitive configuration.
- Keep dependencies updated and minimize the use of unverified third-party libraries.