The following versions of GitHub Repository Analyzer are currently supported with security updates:

The GitHub Repository Analyzer team takes security seriously. We appreciate your efforts to disclose your findings responsibly and will make every effort to acknowledge your contributions.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to security@rmdash.fr. If possible, encrypt your message with our PGP key (available upon request).

Please include the following information in your report:

1. Description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact of the vulnerability
4. Any potential solutions you've identified
5. Your name/handle (if you wish to be credited)

After you have submitted a vulnerability report, you can expect:

• A confirmation of receipt within 48 hours
• An initial assessment of the report within 7 days
• Regular updates on our progress (at least every 7 days)
• A public acknowledgment of your report (unless you prefer to remain anonymous)

Our security response process is:

1. Reporter submits vulnerability via email
2. We confirm receipt and begin investigation
3. We determine severity and impact
4. We develop and test a fix
5. We release a security update and disclose the vulnerability
6. We publicly acknowledge the reporter's contribution (with permission)

Security updates will be released as soon as possible after a vulnerability is confirmed. We aim to release patches for critical vulnerabilities within 7 days of confirmation.

Updates will be published:

• As new releases on GitHub and npm
• With security advisories in the GitHub repository
• In our release notes and CHANGELOG

To ensure the security of your GitHub Repository Analyzer installation:

1. Always use the latest version
2. Apply any security patches promptly
3. Use strong GitHub API tokens with limited scopes
4. Never share your GitHub tokens
5. Periodically review the permissions granted to tokens

This security policy applies to:

• The GitHub Repository Analyzer codebase
• Its dependencies (as far as we can influence them)
• Deployments of the analyzer as a GitHub Action
• CLI usage

We are committed to acknowledging security researchers who help improve the security of our project. Unless you request anonymity, we will acknowledge your contribution in:

• Security advisories
• Release notes
• A SECURITY_CONTRIBUTORS.md file (if applicable)

At this time, we do not offer a paid bug bounty program.

Thank you for helping keep GitHub Repository Analyzer and its users safe!