SECURITY.md

# Security Policy

We take the security of SecureLens and the codebases it scans seriously. This document details how to report vulnerabilities, which versions are supported, and our disclosure process.

---

## Supported Versions

Security updates are actively backported to the current major version. We recommend all users upgrade to the latest stable release of SecureLens to receive security patches.

| Version | Supported |
|---|---|
| 1.x.x | Yes |
| < 1.0.0 | No |

---

## Reporting a Vulnerability

If you discover a security vulnerability in SecureLens, please do not open a public GitHub issue. Public issues allow zero-day exploits to be used before patches are available.

Instead, report vulnerabilities through one of the following methods:
* **Private Vulnerability Reporting:** Submit a draft security advisory directly on GitHub via the Security tab.
* **Email:** Send details of the issue to security@securelens.io.

### What to Include in Your Report

To help us triage and patch the issue quickly, please include:
* A detailed description of the vulnerability and its potential impact.
* Step-by-step instructions or a proof-of-concept (PoC) to reproduce the issue.
* The version of SecureLens (both backend and CLI) and dependencies used.
* Any potential mitigation steps you have identified.

---

## Our Security Response Process

Once a vulnerability report is received:
1. **Acknowledgement:** We will acknowledge receipt of your report within 48 hours.
2. **Triage:** We will investigate and verify the vulnerability. We may contact you for further details or clarification.
3. **Patch Development:** We will develop a fix for the vulnerability.
4. **Coordination & Disclosure:** We will work with you to coordinate a release date for the security update. We aim to publish a patched release and advisory within 30 days of validation.
add security vulnerability reporting policy 2026-06-12 19:10:58 +05:30			`# Security Policy`

			`We take the security of SecureLens and the codebases it scans seriously. This document details how to report vulnerabilities, which versions are supported, and our disclosure process.`

			`---`

			`## Supported Versions`

			`Security updates are actively backported to the current major version. We recommend all users upgrade to the latest stable release of SecureLens to receive security patches.`

			`\| Version \| Supported \|`
			`\|---\|---\|`
			`\| 1.x.x \| Yes \|`
			`\| < 1.0.0 \| No \|`

			`---`

			`## Reporting a Vulnerability`

			`If you discover a security vulnerability in SecureLens, please do not open a public GitHub issue. Public issues allow zero-day exploits to be used before patches are available.`

			`Instead, report vulnerabilities through one of the following methods:`
			`* Private Vulnerability Reporting: Submit a draft security advisory directly on GitHub via the Security tab.`
			`* Email: Send details of the issue to security@securelens.io.`

			`### What to Include in Your Report`

			`To help us triage and patch the issue quickly, please include:`
			`* A detailed description of the vulnerability and its potential impact.`
			`* Step-by-step instructions or a proof-of-concept (PoC) to reproduce the issue.`
			`* The version of SecureLens (both backend and CLI) and dependencies used.`
			`* Any potential mitigation steps you have identified.`

			`---`

			`## Our Security Response Process`

			`Once a vulnerability report is received:`
			`1. Acknowledgement: We will acknowledge receipt of your report within 48 hours.`
			`2. Triage: We will investigate and verify the vulnerability. We may contact you for further details or clarification.`
			`3. Patch Development: We will develop a fix for the vulnerability.`
			`4. Coordination & Disclosure: We will work with you to coordinate a release date for the security update. We aim to publish a patched release and advisory within 30 days of validation.`