We take the security of OpenAPI Analyzer seriously. This document explains how we handle vulnerabilities, supported versions, reporting procedures, and our commitments to users and researchers.

We actively maintain and provide security updates for the following versions:

If you discover a security vulnerability, we ask you to report it responsibly so we can investigate and fix it quickly.

1. DO NOT open a public GitHub issue for security vulnerabilities.
2. DO NOT disclose the vulnerability publicly until we’ve confirmed and fixed it.
3. DO report security issues privately using one of these methods:

• Go to the Security tab in this repository.
• Click “Report a vulnerability”.
• Complete the advisory form with details of the issue.

• Email: [email protected]
• Subject line: SECURITY
• Provide as much detail as possible (see below).

When reporting, please include:

• Description: Clear summary of the vulnerability
• Impact: Potential consequences if exploited
• Steps to Reproduce: Exact steps to replicate the issue
• Affected Versions: List of affected versions
• Suggested Fix: Optional recommendations
• Contact Info: How we can reach you for follow-up

When you report a vulnerability, we will:

1. Acknowledge your report within 48 hours.
2. Investigate thoroughly to confirm the issue.
3. Develop and test a fix if validated.
4. Release a security update as soon as possible.
5. Credit you in advisories (unless you prefer anonymity).
6. Notify you when the fix is available.

We value contributions from the security community:

• Hall of Fame: Researchers may be listed in security advisories.
• Credit: Proper recognition for responsible disclosure.
• Acknowledgment: Significant contributions may be highlighted in release notes.

This policy covers:

• OpenAPI Analyzer GitHub Action (core functionality)
• Dependencies (when directly bundled or affecting security)
• Infrastructure (GitHub Actions runners and containers)
• Documentation (security-related guidance and examples)

The following are not considered valid security reports:

• Social engineering (phishing, etc.)
• Physical attacks on systems
• DoS or spam that doesn’t lead to data exposure
• Issues only affecting unrelated third-party dependencies

We follow responsible disclosure principles:

• 90-day timeline: Critical vulnerabilities are targeted to be fixed within 90 days.
• Coordinated disclosure: We work with researchers on safe public disclosure timelines.
• Good faith protection: No legal action against researchers acting responsibly.
• Transparent updates: We’ll keep you informed during investigation and resolution.

To keep users safe, we enforce:

• Minimal permissions: GitHub Action requests only what it needs.
• Secure defaults: Secure-by-default configurations.
• Dependency management: Regular updates and vulnerability scans.
• Encrypted communication: All transmissions use HTTPS.
• No sensitive data collection: We never collect API keys, passwords, or private repository content.

For security-related issues:

• Vulnerabilities: Use GitHub Security Advisories or email [email protected].
• General Questions: GitHub Discussions.
• Documentation: Security Wiki.

Thank you for helping us keep OpenAPI Analyzer secure! 🛡️

Last Updated: September 2025