We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 0.x.x | ✅ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by email to:
security@example.com (Update this with your actual security contact)
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information:
- Type of vulnerability
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue
When using this library:
- Encryption Keys: Store encryption keys securely (environment variables, secret managers)
- Key Length: Use minimum 32 bytes (256 bits) for AES-256-GCM encryption
- Server-Side Only: Never expose encryption keys to the client
- HTTPS: Always use HTTPS when transmitting encoded state
- Input Validation: Validate decoded data before use
- Version Management: Keep the library updated to receive security patches
When we receive a security report, we will:
- Confirm the issue and determine affected versions
- Audit code to find similar issues
- Prepare fixes for all supported versions
- Release new versions with fixes
- Publicly disclose the vulnerability after fixes are available
Thank you for helping keep encoded-state and our users safe!