The XMRT ecosystem takes security seriously. This document outlines our security practices and how to report vulnerabilities.
| Version | Supported |
|---|---|
| Latest | β |
| < Latest | β |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them to: security@xmrt.dev
Please include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 24 hours
- Status Update: Within 7 days
- Resolution: Within 30 days (depending on complexity)
- Regular dependency updates via Dependabot
- Automated security scanning with CodeQL
- Container vulnerability scanning with Trivy
- Secret scanning to prevent credential leaks
- Multi-stage Docker builds with minimal attack surface
- Non-root container execution
- Security headers implementation
- Regular security audits
- Branch protection rules
- Required code reviews
- Automated testing before merge
- Security-focused CI/CD pipeline
- Dependencies are regularly updated
- Secrets are properly managed
- Input validation is implemented
- Authentication is secure
- Authorization is properly configured
- Logging includes security events
- Error handling doesn't leak information
For security-related questions or concerns:
- Email: security@xmrt.dev
- Security Team: @xmrt-security-team
This security policy is part of the XMRT ecosystem security framework.