diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..8a16876 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,37 @@ +# Security Policy + +## Supported Versions + +The following table outlines which versions of PyWebIO are currently receiving security updates. We recommend all users upgrade to a supported version to ensure their applications remain secure. + +| Version | Supported | +| ------- | ------------------ | +| 1.8.x | :white_check_mark: | +| 1.7.x | :x: | +| 1.4.x | :white_check_mark: | +| < 1.4 | :x: | + +--- + +## Reporting a Vulnerability + +We take the security of PyWebIO seriously. If you believe you have discovered a security vulnerability, please help us fix it by reporting it responsibly. + +### How to Report +Please **do not** open a public GitHub issue for security vulnerabilities. Instead, please report any security concerns via the following method: + +* **Email:** [Insert Maintainer Email Here] +* **GitHub:** You can also use [GitHub Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) if enabled for this repository. + +### What to Include in Your Report +To help us triage and fix the issue quickly, please include: +1. **Description:** A detailed description of the vulnerability. +2. **Version:** The version of PyWebIO where the issue was found. +3. **Reproduce:** A Proof of Concept (PoC) script or step-by-step instructions to reproduce the behavior. +4. **Impact:** What an attacker could achieve (e.g., XSS, RCE, or Data Leakage). + +### Our Commitment +* **Acknowledgement:** We will acknowledge receipt of your report within 48-72 hours. +* **Triage:** We will keep you updated as we investigate and validate the findings. +* **Fix:** Once confirmed, we will work on a patch and coordinate a disclosure date. +* **Credit:** We value the work of security researchers and will provide credit in the release notes if desired.