We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 0.x | ✅ |
We take the security of Forerunner seriously. If you discover a security vulnerability, please follow these steps:
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before it has been addressed
- Email us privately at [email protected] with details of the vulnerability
- Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if you have one)
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Updates: We will provide regular updates about our progress
- Timeline: We aim to address critical vulnerabilities within 7 days
- Credit: If you wish, we will credit you for the discovery in our changelog
- We will investigate all legitimate reports and do our best to fix vulnerabilities quickly
- We will coordinate the release timing with you
- We will publicly disclose the vulnerability after a fix is released
When using Forerunner:
- Keep dependencies updated: Regularly update the package and its dependencies
- Validate user input: Never pass untrusted user input directly to schema definitions
- Sanitize dynamic schemas: If building schemas from user input, validate and sanitize all data
- Review generated schemas: Ensure generated JSON schemas match your security requirements
- Monitor for updates: Watch the repository for security-related updates
- This package generates JSON schemas for validation purposes
- Never use user input directly in callback functions without validation
- Be cautious when dynamically generating schemas from external data sources
- JSON encoding is used throughout - ensure PHP's JSON extension is properly configured
If you have questions about security that are not sensitive in nature, feel free to open a GitHub issue or contact us at [email protected].