Because our project is still in its early stages, we only provide security fixes for the most recent release:
| Version | Supported |
|---|---|
| 0.0.x | ✅ |
| < 0.0.1 | ❌ |
We take Edwin's security very seriously. If you discover a vulnerability, please let us know by following these steps:
- Do Not create a public GitHub issue about the vulnerability.
- Send an email to security@edwin.finance with:
- A clear description of the issue
- Steps to reproduce
- Potential impact
- Any proposed mitigations or fixes
- Initial Response (within 48 hours): We will confirm we've received your report.
- Progress Updates (every five business days): We'll inform you of any developments.
- Resolution Timeline (aim: 15 days): We strive to address critical issues promptly.
- Disclosure: We coordinate with you on an appropriate public disclosure timeline.
- Never commit passwords, tokens, or other secrets to the repository.
- Use environment variables as outlined in our secrets management documentation.
- Immediately rotate any exposed credentials.
- Regularly update all dependencies.
- Stay informed of security advisories related to your packages.
- Use
pnpm auditto detect known vulnerabilities.
- All changes must be made through pull requests.
- Sensitive changes require additional review.
- Always enable branch protection settings on critical branches.
- Adhere to our secrets management guide for secure configuration.
- Use separate API keys for production and development.
- Rotate all credentials periodically.
- Apply rate limiting on API calls where possible.
- Monitor usage to detect unusual behavior.
- Ensure proper authentication for any publicly exposed endpoints.
- Use distinct bot tokens for different environments.
- Limit platform API permissions to only what's necessary.
- Conduct regular audits of access and permissions.
- Environment-variable-based secrets management.
- Type-safe API implementations.
- Automated dependency updates.
- Security checks integrated into our CI process.
- Expanded security-focused documentation.
- Automated vulnerability scanning tools.
We follow a coordinated disclosure approach:
- The reporter submits the details of the vulnerability.
- Our team verifies and assesses the report.
- A fix is developed, reviewed, and tested.
- We deploy the fix to supported versions.
- Public disclosure occurs after 30 days or as agreed upon.
We appreciate the work of security researchers who help us improve. Anyone who reports a verified vulnerability will:
- Be acknowledged in our security credits (or remain anonymous upon request).
- Be listed in our security hall of fame.
- Potentially qualify for our upcoming bug bounty program.
This project is released under the MIT License, which means:
- The software is provided "as is" with no warranties.
- Users are responsible for their security measures.
- Contributors grant a perpetual license for all submitted contributions.
- Security Issues: security@edwin.finance
- General Inquiries: Join our community on Discord
- Security Updates: Check our official security advisory page