The following versions of CentralConfigGenerator are currently being supported with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of CentralConfigGenerator seriously. If you believe you've found a security vulnerability, please follow these steps:
- Do not disclose the vulnerability publicly
- Open a GitHub issue with details about the vulnerability
- Include the following information in your report:
- Type of vulnerability
- Full path of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability and how it might be exploited
When you submit a vulnerability report, you can expect:
- Initial Response: We will acknowledge receipt of your vulnerability report within 48 hours.
- Status Updates: We will provide updates on the status of your report as we investigate.
- Resolution Timeline: We aim to address and resolve critical security vulnerabilities within 90 days of notification.
When implementing CentralConfigGenerator in your applications, consider these security best practices:
- Keep the library updated to the latest supported version.
- Limit access to configuration files - ensure configurations with sensitive data have appropriate access controls.
- Use encrypted configuration for sensitive values like API keys, tokens, and credentials.
- Implement the principle of least privilege when defining access to configuration data.
- Validate all configuration inputs - never trust input directly without validation.
- Enable logging and monitoring for configuration access and changes.
- Audit configuration usage regularly to ensure compliance with security policies.
CentralConfigGenerator provides several security features:
- Encryption: Support for encrypting sensitive configuration values
- Access Control: Granular access control for configuration settings
- Validation: Input validation for configuration values
- Audit Logging: Comprehensive logging of configuration access and modifications
We are committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us. We appreciate your efforts in responsibly disclosing your findings, and we will make every effort to acknowledge your contributions.
Security updates will be released as part of our regular release cycle or as emergency patches depending on severity. We recommend configuring your dependency manager to receive notifications about new releases.
This security policy is subject to change. Please check back regularly for updates.