securelens-backend/SECURITY.md

Security Policy

We take the security of SecureLens and the codebases it scans seriously. This document details how to report vulnerabilities, which versions are supported, and our disclosure process.

---

Supported Versions

Security updates are actively backported to the current major version. We recommend all users upgrade to the latest stable release of SecureLens to receive security patches.

Version	Supported
1.x.x	Yes
< 1.0.0	No

---

Reporting a Vulnerability

If you discover a security vulnerability in SecureLens, please do not open a public GitHub issue. Public issues allow zero-day exploits to be used before patches are available.

Instead, report vulnerabilities through one of the following methods:

• Private Vulnerability Reporting: Submit a draft security advisory directly on GitHub via the Security tab.
• Email: Send details of the issue to security@securelens.io.

What to Include in Your Report

To help us triage and patch the issue quickly, please include:

• A detailed description of the vulnerability and its potential impact.
• Step-by-step instructions or a proof-of-concept (PoC) to reproduce the issue.
• The version of SecureLens (both backend and CLI) and dependencies used.
• Any potential mitigation steps you have identified.

---

Our Security Response Process

Once a vulnerability report is received:

1. Acknowledgement: We will acknowledge receipt of your report within 48 hours.
2. Triage: We will investigate and verify the vulnerability. We may contact you for further details or clarification.
3. Patch Development: We will develop a fix for the vulnerability.
4. Coordination & Disclosure: We will work with you to coordinate a release date for the security update. We aim to publish a patched release and advisory within 30 days of validation.