At EnggVault, we prioritize the security of our software and the trust of our users. We appreciate the efforts of the security community in responsibly disclosing vulnerabilities to us.
We actively maintain and provide security updates for the following major versions of our software. Please note that support policies may vary by individual project.
| Version | Supported |
|---|---|
| v2.x.x | Yes |
| v1.x.x | No |
| < v1.0 | No |
Please do not report security vulnerabilities through public GitHub issues.
If you believe you have discovered a security vulnerability in any EnggVault project, please report it to us using the following procedure:
- Email us: Send a detailed email to enggvault@gmail.com.
- Provide details: Please include the following information:
- A clear description of the vulnerability.
- Exact steps to reproduce the issue.
- An assessment of the potential impact.
- Proof of concept (PoC) code if available.
We endeavor to respond to your report within 48 hours. We will keep you informed of our progress as we investigate and develop a remediation plan.
We request that you adhere to the following guidelines for responsible disclosure:
- Do not disclose the vulnerability publicly until we have completed our investigation, deployed a fix, and released an update. We typically request a 90-day embargo period.
- Do not exploit the vulnerability or use it to access data that does not belong to you.
- Provide a reasonable timeframe for us to resolve the issue before making it public.
We implement rigorous practices to ensure the security of our projects:
- Automated dependency scanning in CI/CD pipelines.
- Static code analysis (SAST) during integration.
- Mandatory peer code reviews for all pull requests.
- Least-privilege access controls for organizational resources.
We appreciate your assistance in maintaining the security of the EnggVault ecosystem.