We actively maintain and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in this project, please follow these steps:
Security vulnerabilities should be reported privately to prevent potential exploitation.
Send a detailed report to: [email protected]
Your security report should contain:
- Description: A clear description of the vulnerability
- Steps to reproduce: Detailed steps to reproduce the issue
- Impact: Potential impact of the vulnerability
- Suggested fix: If you have a solution in mind
- Affected versions: Which versions are affected
- Proof of concept: If applicable, include a minimal PoC
- Initial response: Within 48 hours
- Status update: Within 1 week
- Resolution: As quickly as possible, typically within 30 days
- All user-submitted code runs in isolated environments
- Execution timeouts prevent resource exhaustion
- Memory limits prevent excessive resource usage
- File system access is restricted to challenge directories only
- All user inputs are validated and sanitized
- SQL injection protection through parameterized queries
- XSS protection through proper output encoding
- File upload restrictions and validation
- GitHub OAuth integration for secure authentication
- User submissions are restricted to their own directories
- Pull request validation ensures users can only modify their own code
- Admin-only access to sensitive operations
- HTTPS enforcement for all web traffic
- Regular dependency updates to patch known vulnerabilities
- Automated security scanning in CI/CD pipeline
- Environment variables for sensitive configuration
We follow responsible disclosure practices:
- Private reporting: Vulnerabilities are reported privately first
- Timely response: We respond quickly to security reports
- Coordinated disclosure: We work with reporters to coordinate public disclosure
- Credit acknowledgment: Security researchers are credited in our security advisories
- Dependencies are automatically updated via Dependabot
- Security patches are applied as soon as they're available
- Automated vulnerability scanning in our CI/CD pipeline
- Critical security issues are addressed immediately
- Non-critical issues are scheduled for the next release
- Security advisories are published for significant vulnerabilities
- All code changes require security review
- Automated security scanning in pull requests
- Manual review for security-sensitive changes
- Regular updates of all dependencies
- Monitoring for known vulnerabilities
- Immediate updates for security patches
- Security-focused testing in CI/CD
- Penetration testing for major releases
- Regular security audits
- Email: [email protected]
- Response Time: Within 72 hours
- PGP Key: Available upon request
- GitHub: @RezaSi
- Email: [email protected]
We acknowledge security researchers who help improve our security:
| Researcher | Vulnerability | Date |
|---|---|---|
| Your name could be here | Report a vulnerability | Help us improve |
While we don't currently offer a formal bug bounty program, we do:
- Acknowledge security researchers in our documentation
- Provide early access to security patches
- Consider special recognition for significant findings
By reporting a security vulnerability, you agree to:
- Keep the vulnerability confidential until we've had time to address it
- Not exploit the vulnerability for malicious purposes
- Work with us to coordinate disclosure
- Follow responsible disclosure practices
Thank you for helping keep our community secure! 🛡️
Last updated: July 2025