We take security seriously at PlacementOS. We currently support security updates for the following versions of the project. We strongly recommend always using the latest stable release.
| Version | Supported | Description |
|---|---|---|
| >= 1.0.0 | ✅ | Currently supported |
| < 1.0.0 | ❌ | Pre-release (Unsupported) |
If you discover a security vulnerability within PlacementOS, please do not open a public issue. Instead, follow our responsible disclosure process:
- Email us: Send a detailed email to security@placementos.example.com.
- Details: Include a clear description of the vulnerability, the steps required to reproduce it, and any potential impact.
- Response: We will acknowledge receipt of your vulnerability report within 48 hours.
We ask that you follow these guidelines when reporting a vulnerability:
- Do not exploit the vulnerability beyond what is necessary to confirm its existence.
- Do not publicly disclose the vulnerability until we have had a reasonable amount of time to release a patch (typically 90 days).
- Do not attempt to access, modify, or delete data belonging to other users.
To ensure the security of your Deployment of PlacementOS:
- Always use environment variables for secrets (e.g.,
JWT_SECRET,OPENAI_API_KEY,MONGO_URI). Never commit.envfiles. - Ensure your MongoDB instance is secured with authentication and is not publicly exposed to the internet.
- Keep Node.js and all npm dependencies updated to their latest secure versions.
- Enable HTTPS on your production deployment.
- Acknowledgement: Within 48 hours of your report.
- Triage & Validation: Within 7 days.
- Patch Development: Priority depends on the severity. Critical patches will be released as soon as possible.
- Disclosure: We will publish a security advisory and notify users once the patch is released.
Thank you for helping to keep PlacementOS secure!