We take security seriously. If you discover a security vulnerability, please report it responsibly.
- DO NOT create a public GitHub issue
- Preferred: Use GitHub's private vulnerability reporting on the affected repository's Security tab
- Alternative: Email: security@sqloot.dev
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Resolution timeline: Depends on severity (critical: ASAP, high: 30 days, medium: 90 days)
This policy applies to all SQLoot repositories.
We appreciate responsible disclosure and will acknowledge security researchers in our release notes (unless you prefer to remain anonymous).
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ (upgrade recommended) |
When contributing to SQLoot projects:
- Never commit secrets, API keys, or credentials
- Use environment variables for sensitive data
- Keep dependencies up to date
- Follow secure coding practices
- Enable 2FA on your GitHub account
For automated security tools, we follow RFC 9116.
See /.well-known/security.txt in production deployments.
