If you discover a security vulnerability in Budget Analyzer, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email security@budgetanalyzer.org with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Resolution timeline: Depends on severity, typically 30-90 days
This policy applies to all repositories in the Budget Analyzer organization:
- orchestration
- session-gateway
- token-validation-service
- transaction-service
- currency-service
- budget-analyzer-web
- service-common
Budget Analyzer implements defense-in-depth security patterns. For details, see:
We provide security updates for the latest release only. This is a reference architecture, not production software with LTS guarantees.
We appreciate security researchers who help keep Budget Analyzer secure. With your permission, we'll acknowledge your contribution in our release notes.