We actively maintain security for the following versions:
| Version | Supported |
|---|---|
| 2.0.x | β Yes |
| < 2.0 | β No |
We take the security of this template seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to [INSERT SECURITY EMAIL].
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the vulnerability
- The number of line(s) of code where the vulnerability can be observed
- A description of the vulnerability
- A description of how the vulnerability can be exploited
- Proof-of-concept or exploit code (if possible)
- Impact of the issue (data loss, system compromise, etc.)
- Acknowledgment: You will receive an acknowledgment within 48 hours
- Investigation: Our security team will investigate the report
- Updates: You will receive updates on the progress
- Resolution: Once resolved, we will:
- Release a security update
- Credit you in the security advisory (unless you prefer to remain anonymous)
- Update the changelog
- Keep dependencies updated - Regularly update your project dependencies
- Review generated code - Always review code generated by scripts
- Validate inputs - Ensure all user inputs are properly validated
- Use secure defaults - Don't override security-related default settings
- Monitor for updates - Watch for security updates to this template
- Follow secure coding practices - Use established security patterns
- Validate all inputs - Never trust user input without validation
- Use secure defaults - Implement secure-by-default configurations
- Test security scenarios - Include security-focused tests
- Review dependencies - Regularly review and update dependencies
- Critical vulnerabilities: Immediate release (within 24 hours)
- High severity: Within 72 hours
- Medium severity: Within 1 week
- Low severity: Within 1 month
- Security advisories will be published on GitHub
- Release notes will include security-related changes
- Email notifications for critical vulnerabilities (if you've reported issues)
We gratefully acknowledge security researchers who have responsibly disclosed vulnerabilities:
- [Your Name] - [Vulnerability Description] - [Date]
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- Python Security: https://python-security.readthedocs.io/
- GitHub Security: https://docs.github.com/en/code-security
Our security team consists of:
- Security Lead: [Name] - [Email]
- Security Reviewers: [Names] - [Emails]
For project security practices and development guidelines, see contributing.md and code-of-conduct.md.
Thank you for helping keep our template secure! π