We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability within this project, please follow these steps:
- Do NOT create a public GitHub issue
- Send details to the maintainers through GitHub Security Advisories
- Include the following in your report:
- Description of the vulnerability
- Steps to reproduce
- Possible impact
- Suggested fix (if any)
- Acknowledgment of your report within 48 hours
- Regular updates on our progress
- Credit for responsible disclosure (unless you prefer to remain anonymous)
When using this gem:
-
API Key Management
- Never commit API keys to version control
- Use environment variables or secure credential management
- Rotate API keys regularly
-
Dependencies
- Keep the gem updated to the latest version
- Monitor security advisories
- Use
bundle auditto check for vulnerable dependencies
-
Data Handling
- Be cautious with sensitive data in logs
- Use HTTPS for all API communications
- Implement proper error handling to avoid information leakage
This gem includes:
- Automatic API key masking in logs
- SSL/TLS verification by default
- Rate limiting protection
- Input validation and sanitization
For security concerns, please use GitHub Security Advisories or contact the maintainers directly through GitHub.