We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.1 Rating:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
The Bootstrap Sheet team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to sergeymironov@protonmail.com.
Please include the following information in your report:
- Type of issue (e.g., XSS, CSRF, code injection, privilege escalation, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Any special configuration required to reproduce the issue
You can expect the following:
-
Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours.
-
Communication: We will keep you informed about the progress of fixing the vulnerability.
-
Credit: We will give you credit for the discovery in the security advisory (unless you prefer to remain anonymous).
-
Timeline: We aim to:
- Confirm the problem and determine affected versions within 7 days
- Release a fix as soon as possible, depending on complexity
- Coordinate public disclosure after the fix is released
Security updates will be released as patch versions (e.g., 0.1.1) and will be clearly marked in the CHANGELOG.md.
We consider the following as security vulnerabilities:
- Cross-Site Scripting (XSS) vulnerabilities
- Code Injection vulnerabilities
- Authentication/Authorization bypass
- Denial of Service (DoS) vulnerabilities that can be triggered remotely
- Information Disclosure that exposes sensitive data
- Security misconfigurations in default settings
- Issues that allow arbitrary code execution
- Reports from automated tools without proof of exploitability
- Issues requiring physical access to a user's device
- Social engineering attacks
- Issues in dependencies (please report these to the respective project)
- Theoretical attacks without practical exploitability
- Bugs that don't have security implications
To ensure maximum security when using Bootstrap Sheet:
- Always use the latest version - Security patches are only applied to the latest release
- Sanitize user input - Always escape and validate user-provided content before displaying
- Content Security Policy - Implement a strict CSP to prevent XSS attacks
- HTTPS only - Always serve your application over HTTPS
- Keep dependencies updated - Regularly update Bootstrap and other dependencies
Bootstrap Sheet manipulates the DOM and should only be used with trusted content. When using dynamic content:
// ❌ DON'T: Insert untrusted HTML directly
sheetBody.innerHTML = userProvidedContent;
// ✅ DO: Sanitize or use textContent
sheetBody.textContent = userProvidedContent;
// or use a sanitization library like DOMPurify
sheetBody.innerHTML = DOMPurify.sanitize(userProvidedContent);The component manages focus and uses the inert attribute or aria-hidden to prevent interaction with background content. Ensure your application doesn't inadvertently bypass these protections.
Custom event handlers attached to sheet elements should properly validate data in event.detail before use.
We recognize and thank the following individuals for responsibly disclosing security vulnerabilities:
(No entries yet)
To be listed here, please include your preferred name and profile link when submitting your report.
This security policy applies to the Bootstrap Sheet project under the MIT License. It does not extend to external dependencies or integrations.
If you have any questions about this security policy, please contact sergeymironov@protonmail.com.