| Version | Supported |
|---|---|
| 0.2.x | ✅ Supported |
| 0.1.x | ❌ Unsupported |
Please DO NOT report security vulnerabilities publicly. Instead, report them privately through GitLab Issues:
-
Create a Private Issue:
- Go to GitLab Issues
- Click "New issue"
- Set confidentiality to "Only team members"
- Use the "Security" label
-
Include the Following Information:
- Type of vulnerability (XSS, injection, etc.)
- Steps to reproduce the issue
- Potential impact
- Any proof-of-concept code (if applicable)
- Environment details (browser, OS, version)
-
What to Expect:
- Initial response within 48 hours
- Detailed assessment within 7 days
- Patch timeline based on severity
- Public disclosure after fix is deployed
We consider the following as security vulnerabilities:
- Cross-Site Scripting (XSS): Injection of malicious scripts
- File Upload Vulnerabilities: Malicious file handling
- Server-Side Injection: Code injection in API endpoints
- Authentication Bypass: Unauthorized access to features
- Data Exposure: Sensitive information leakage
- Denial of Service: Resource exhaustion attacks
- Dependency Vulnerabilities: Security issues in dependencies
- Remote code execution
- Complete system compromise
- Widespread data exposure
- Significant data exposure
- Privilege escalation
- Authentication bypass
- Limited data exposure
- Local file inclusion
- Cross-site scripting with user interaction
- Information disclosure
- Minor security issues
- Best practice violations
- Keep Updated: Always use the latest version
- Input Validation: Validate all markdown input
- File Handling: Be cautious with uploaded files
- Network Security: Use HTTPS in production
- Input Sanitization: Sanitize all user input
- Output Encoding: Encode all output to prevent XSS
- File Validation: Validate uploaded file types and sizes
- Dependencies: Regularly update dependencies
- Code Review: Review all code for security issues
- Input Validation: Client and server-side validation
- File Type Checking: Restrict file uploads to .md files
- Content Security Policy: CSP headers for XSS protection
- Dependency Scanning: Regular security updates
- Serverless Isolation: Netlify's secure environment
- Assessment: Evaluate vulnerability severity and impact
- Development: Create and test security patches
- Release: Deploy patches with security advisories
- Disclosure: Public disclosure after patch deployment
- Security Advisories: Published in GitLab Issues
- Release Notes: Security updates documented in CHANGELOG.md
- Dependency Updates: Automated security updates for dependencies
The security team reviews and responds to all security reports:
- Response Time: Within 48 hours
- Assessment: Within 7 days
- Resolution: Based on severity and complexity
We thank security researchers and users who help us maintain the security of the Markdown to PDF Converter.
Security researchers who have contributed to our security:
To be updated as vulnerabilities are reported and fixed
This security policy is provided "as is" without warranty of any kind. We reserve the right to modify this policy at any time.
Remember: Security is everyone's responsibility. If you find a vulnerability, please report it responsibly.