Skip to content

Security: wgtechlabs/osv-framework

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in the OSV Framework, please report it by creating a private security advisory or by contacting the maintainers directly.

Please do not report security vulnerabilities through public GitHub issues.

How to Report

  1. GitHub Security Advisory: Use GitHub's private vulnerability reporting feature

    • Go to the repository's Security tab
    • Click "Report a vulnerability"
    • Fill out the advisory form

  2. Direct Contact: For sensitive security issues, use GitHub's private reporting feature above

    • For non-sensitive matters, create a regular issue in the repository

What to Include

When reporting a vulnerability, please include:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact
  • Any suggested fixes (if available)

Supported Versions

Version Supported
Latest
< 1.0

Security Best Practices

For Framework Users

When implementing OSV Framework in your project:

  1. Keep Dependencies Updated: Regularly update any dependencies
  2. Validate Input: Always validate and sanitize user input
  3. Secure Calculations: Ensure calculation logic cannot be manipulated
  4. Access Control: Implement proper access control for sponsorship management
  5. Audit Trail: Maintain logs of OSV calculations and sponsorship assignments

For Contributors

When contributing to the OSV Framework:

  1. Follow Security Guidelines: Adhere to secure coding practices
  2. Review Dependencies: Check for vulnerabilities in any new dependencies
  3. Test Thoroughly: Include security testing in your contributions
  4. Document Security Implications: Note any security considerations in PRs

Disclosure Policy

We follow responsible disclosure practices:

  1. Acknowledgment: We'll acknowledge receipt of your vulnerability report within 48 hours
  2. Assessment: We'll assess the vulnerability and determine severity
  3. Fix Development: We'll work on a fix in a private branch
  4. Public Disclosure: After the fix is released, we'll publicly disclose the vulnerability with appropriate credit to the reporter (if desired)

Recognition

We appreciate security researchers who help keep the OSV Framework and its users safe. Security contributors will be:

  • Acknowledged in our SECURITY.md file (with permission)
  • Mentioned in release notes for security fixes
  • Eligible for OSV credits if they wish to sponsor related improvements

Thank you for helping keep the OSV Framework secure!

Created by Waren Gonzaga under WG Tech Labs

There aren’t any published security advisories