We recommend always using the latest version of Ivy Framework to ensure you have the most recent security patches and improvements.

We take the security of Ivy Framework seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. GitHub Security Advisories (Preferred):

   • Navigate to the Security tab in this repository
   • Click on "Report a vulnerability"
   • Fill out the security advisory form with details about the vulnerability

2. Email (Alternative):

   • Contact the maintainers directly through the contact information provided in the repository

When reporting a vulnerability, please include:

• A clear description of the vulnerability
• Steps to reproduce the issue
• Potential impact of the vulnerability
• Any suggested fixes or mitigations (if available)
• Your contact information (optional, but helpful for follow-up questions)

• Acknowledgment: We will acknowledge receipt of your report within 48 hours
• Initial Assessment: We will provide an initial assessment within 7 days
• Updates: We will keep you informed of our progress in addressing the vulnerability
• Resolution: We will work to resolve critical vulnerabilities as quickly as possible

We follow a coordinated disclosure process:

1. We will work with you to understand and resolve the issue quickly
2. We will not disclose the vulnerability publicly until a fix is available
3. Once a fix is ready, we will release it and credit you (if desired) for the discovery
4. We will publish a security advisory through GitHub Security Advisories

This security policy applies to:

• The Ivy Framework core library
• Official Ivy Framework widgets and components
• Authentication providers and integrations
• Database connectors and data providers
• The Ivy CLI tool

The following are generally considered out of scope:

• Issues in third-party dependencies (please report these to the respective maintainers)
• Issues in applications built with Ivy Framework (these should be reported to the application maintainers)
• Social engineering attacks
• Denial of service attacks
• Issues requiring physical access to a user's device

When using Ivy Framework:

• Always use the latest version
• Keep your dependencies up to date
• Follow secure coding practices as outlined in our documentation
• Review and understand the security implications of authentication providers you use
• Regularly audit your application's security configuration

Ivy Framework is built with security in mind:

• Server-side state management: Minimizes risk of secrets leakage
• Handcrafted authentication integrations: All authentication providers are audited
• Enterprise security constraints: Built around strict security requirements
• Secrets management: Secure handling of sensitive configuration

• GitHub Security Advisories
• Documentation
• Code of Conduct
• Contributing Guidelines

Thank you for helping keep Ivy Framework and its users safe!