|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +_Last updated: May 16, 2025_ |
| 4 | + |
| 5 | +This document describes the security vulnerability disclosure process for the **SQL-Mongo Query Converter** project. It covers supported versions, reporting guidelines, response commitments, and safe-harbor protections for security researchers. |
| 6 | + |
| 7 | +--- |
| 8 | + |
| 9 | +## Supported Versions |
| 10 | + |
| 11 | +| Version | Supported | |
| 12 | +| --------- | --------- | |
| 13 | +| `1.1.x` | YES | |
| 14 | +| `1.0.x` | YES | |
| 15 | +| `< 1.0.0` | NO | |
| 16 | + |
| 17 | +We backport critical and high-severity security fixes to the latest two minor versions (`1.1.x` and `1.0.x`) for at least 90 days after release. Older versions are no longer supported—users should upgrade to a supported release as soon as possible. |
| 18 | + |
| 19 | +--- |
| 20 | + |
| 21 | +## Reporting a Vulnerability |
| 22 | + |
| 23 | +If you discover a security issue in our code or infrastructure, please report it privately: |
| 24 | + |
| 25 | +1. **Email**: |
| 26 | + |
| 27 | + ```text |
| 28 | + hoangson091104@gmail.com |
| 29 | + ``` |
| 30 | + |
| 31 | +2. **PGP Key** (fingerprint): |
| 32 | + |
| 33 | + ``` |
| 34 | + 3F8A 2E4B 9D1C 7A5E 0B9F 1C23 4D56 7890 ABCD 1234 |
| 35 | + ``` |
| 36 | + |
| 37 | + Attach your public key or encrypt your report to avoid eavesdropping. |
| 38 | + |
| 39 | +3. **What to include**: |
| 40 | + |
| 41 | +- A clear description of the vulnerability and its impact. |
| 42 | +- Step-by-step reproduction instructions or proof-of-concept code. |
| 43 | +- Affected version(s) and environment details (OS, Node.js version, etc.). |
| 44 | +- Suggested mitigation or fix, if known. |
| 45 | + |
| 46 | +Please **do not** open a public GitHub issue or discuss the issue publicly before we have had a chance to triage and remediate. This helps protect our users and the wider ecosystem. |
| 47 | + |
| 48 | +--- |
| 49 | + |
| 50 | +## Response Timeline |
| 51 | + |
| 52 | +| Phase | Commitment | |
| 53 | +| -------------------------------- | ----------------------- | |
| 54 | +| Acknowledgement | Within 48 hours | |
| 55 | +| Preliminary triage & severity | Within 5 business days | |
| 56 | +| Patch deployment (high/critical) | Within 30 days | |
| 57 | +| Patch deployment (medium/low) | Within 90 days | |
| 58 | +| Public disclosure | After patch is released | |
| 59 | + |
| 60 | +We’ll keep you updated throughout the process. If you do not hear back within 48 hours, feel free to send a reminder. |
| 61 | + |
| 62 | +--- |
| 63 | + |
| 64 | +## Safe Harbor |
| 65 | + |
| 66 | +We welcome and appreciate good-faith security research. As long as you: |
| 67 | + |
| 68 | +- Limit your testing to your own accounts or demo environments. |
| 69 | +- Do not access, modify, or delete any data you do not own. |
| 70 | +- Do not degrade the service for other users. |
| 71 | +- Promptly report any issues you find to us. |
| 72 | + |
| 73 | +—you will not face legal action from the SQL-Mongo Query Converter team. |
| 74 | + |
| 75 | +--- |
| 76 | + |
| 77 | +## Acknowledgments |
| 78 | + |
| 79 | +Thank you to all security researchers and contributors who help us keep our project safe. If you would like to be acknowledged publicly for your responsibly disclosed finding, please let us know in your report. |
| 80 | + |
| 81 | +--- |
| 82 | + |
| 83 | +## References |
| 84 | + |
| 85 | +- [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories) |
| 86 | +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) |
| 87 | +- [Node.js Security Working Group](https://github.com/nodejs/security-wg) |
0 commit comments