Skip to content

Security Policy

Supported Versions

Version Supported
1.0.x :white_check_mark:
< 1.0 :x:

Dependency Security

Dependency Management

EVOSEAL uses a comprehensive approach to dependency management to ensure security and stability:

  1. Pinned Dependencies: All dependencies are pinned to specific versions in:
  2. requirements/pinned_requirements.txt (core dependencies)
  3. requirements/pinned_dev_requirements.txt (development dependencies)

  4. requirements/security.txt (security tools)

  5. Update Process: 

    # Update all dependencies
./scripts/update_dependencies.sh

# Fix dependency conflicts (if any)
./scripts/fix_dependencies.sh

Security Scanning

We use the following tools to maintain dependency security:

  1. Safety: For checking Python dependencies against known vulnerabilities 

    pip install safety
safety check --full-report

  2. Bandit: For identifying common security issues in Python code 

    pip install bandit
bandit -r .

  3. Dependabot: Automated dependency updates with security alerts (enabled in GitHub)

Best Practices

  1. Regular Updates:
  2. Run security scans weekly
  3. Update dependencies monthly or when critical vulnerabilities are reported

  4. Review and update security tools quarterly

  5. Pre-commit Hooks:

  6. Security checks are integrated into pre-commit hooks

  7. All dependencies are validated before commit

  8. CI/CD Integration:

  9. Security scans are part of the CI/CD pipeline
  10. Builds fail on high/critical vulnerabilities

Reporting a Vulnerability

We take the security of our software seriously. If you discover a security vulnerability in EVOSEAL, we appreciate your help in disclosing it to us in a responsible manner.

How to Report a Vulnerability

Please report security vulnerabilities by emailing our security team at security@example.com. We will respond to your email within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

What to Include in Your Report

  • A description of the vulnerability
  • Steps to reproduce the issue
  • The version of EVOSEAL you're using
  • Any potential impact of the vulnerability
  • Your name and affiliation (if applicable) for credit

Our Security Process

  1. Your report will be acknowledged within 48 hours
  2. The security team will verify the vulnerability
  3. A fix will be developed and tested
  4. The fix will be released in a new version
  5. A security advisory will be published

Security Best Practices

For Users

  • Always use the latest version of EVOSEAL
  • Keep your API keys and credentials secure
  • Use environment variables for sensitive configuration
  • Regularly audit your dependencies

For Developers

  • Follow secure coding practices
  • Keep dependencies up to date
  • Use static analysis tools
  • Implement proper input validation
  • Use prepared statements for database queries
  • Implement proper error handling

Security Updates

Security updates will be released as patch versions (e.g., 1.0.1, 1.0.2). We recommend always running the latest patch version.

Known Security Issues

A list of known security issues and their status is maintained in our security advisories.

Security Contact

For any security-related questions or concerns, please contact security@example.com.

Responsible Disclosure Policy

We follow the principle of responsible disclosure. We ask that you:

  • Give us reasonable time to investigate and mitigate an issue before disclosing it publicly
  • Make a good faith effort to avoid privacy violations, data destruction, and service interruptions
  • Do not exploit a security issue for any reason

Encryption

All sensitive data should be encrypted both in transit and at rest. We recommend using industry-standard encryption algorithms and key management practices.

Third-Party Dependencies

We regularly audit our third-party dependencies for known vulnerabilities using automated tools. However, we recommend that you also:

  • Regularly update your dependencies
  • Use dependency management tools to track known vulnerabilities
  • Consider using tools like Dependabot or Snyk for automated dependency updates

Reporting Security Issues in Dependencies

If you discover a security issue in one of our dependencies, please report it to the maintainers of that project first. Once the issue has been addressed upstream, please let us know so we can update our dependencies.

Last update: 2025-07-20
Created: 2025-06-17