We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

• GitHub Security Advisory: Use the Security tab in this repository

When reporting a security vulnerability, please include:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

1. Acknowledgment: We will acknowledge receipt of your report within 48 hours
2. Initial Assessment: We will provide an initial assessment within 5 business days
3. Updates: We will provide regular updates on the status of the vulnerability
4. Resolution: We will work to resolve the issue and release a patch as quickly as possible

• We follow responsible disclosure practices
• We will credit you for discovering the vulnerability (unless you prefer to remain anonymous)
• We will work with you to understand and resolve the issue quickly
• We will not take legal action against security researchers who:
  • Act in good faith
  • Avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Do not exploit a security issue beyond what is necessary to demonstrate the vulnerability

When using SDK Kit:

• Keep dependencies updated: Regularly update SDK Kit and its dependencies
• Review plugin code: If using custom plugins, review their security implications
• Validate inputs: Always validate and sanitize inputs before passing them to SDK Kit
• Use HTTPS: Ensure all network requests use HTTPS
• Follow least privilege: Only grant necessary permissions and capabilities to plugins

• Plugins have access to the SDK instance and configuration
• Only use plugins from trusted sources
• Review plugin code before integrating into production

• Storage plugins may persist sensitive data
• Be mindful of what data is stored and where
• Consider encryption for sensitive data

• Transport plugins make network requests
• Ensure endpoints are validated and use HTTPS
• Be aware of CORS and CSP policies

Security updates will be announced via:

• GitHub Security Advisories
• Release notes
• npm package updates

If you have questions about this security policy, please contact us at security@lytics.com.