We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < 1.0 |
Instead, please report them via email to:
📧 security@sensibleanalytics.co
When reporting a vulnerability, please include:
- Description - Clear description of the vulnerability
- Steps to Reproduce - Detailed steps to reproduce the issue
- Impact Assessment - Potential impact and severity
- Affected Versions - Which versions are affected
- Suggested Fix - If you have suggestions for fixing the vulnerability (optional)
- Proof of Concept - Code or demonstration that shows the vulnerability (if applicable)
We take security seriously and aim to respond to security reports within the following timeframes:
| Severity | Initial Response | Assessment Complete | Fix Released |
|---|---|---|---|
| Critical | Within 24 hours | 7 days | 14 days |
| High | Within 48 hours | 14 days | 30 days |
| Medium | Within 7 days | 30 days | 60 days |
| Low | Within 14 days | 60 days | 90 days |
- Acknowledgment - We'll acknowledge receipt of your report within the initial response time
- Assessment - We'll assess the vulnerability and determine its severity
- Communication - We'll keep you informed of our progress
- Fix - We'll develop and test a fix
- Disclosure - We'll coordinate disclosure with you
- Release - We'll release the fix and publish a security advisory
- Credit - We'll credit you in our security advisory (if you wish)
- Always use the latest version of our software
- Enable two-factor authentication (2FA) on your accounts
- Keep your dependencies up to date
- Report any suspicious activity immediately
- Never commit secrets, API keys, or credentials to the repository
- Use environment variables for sensitive configuration
- Follow secure coding practices
- Review our Contributing Guide for security requirements
We implement the following security measures:
- ✅ Automated dependency scanning with Dependabot
- ✅ Code scanning with CodeQL
- ✅ Branch protection with required reviews
- ✅ Signed commits (where applicable)
- ✅ Regular security audits
- ✅ Responsible disclosure program
We may offer bug bounties for significant security vulnerabilities at our discretion. Bounties are determined based on:
- Severity of the vulnerability
- Quality of the report
- Potential impact on users
- Novelty of the vulnerability
Please contact us at security@sensibleanalytics.co to discuss bounty eligibility.
We maintain a list of past security advisories in our Security Advisories section.
- 📧 Email: security@sensibleanalytics.co
- 🔐 PGP Key: [Available upon request]
Thank you for helping keep Sensible Analytics and our users safe!