We take the security of community-collections seriously. This document outlines our security practices and how to report vulnerabilities.
| Version | Supported | Security Updates |
|---|---|---|
| Current main branch | β Yes | β Yes |
| Latest tagged release | β Yes | β Yes |
| Older versions | β No | β No |
Public disclosure can put users at risk. Please follow our responsible disclosure process.
Primary Method: Email us at security@amadeus.com
What to Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Proof of concept (if available)
- Your contact information (for follow-up questions)
Email Subject: Security: community-collections - [Brief Description]
- Acknowledgment: Within 1 business day
- Initial Assessment: Within 3 business days
- Detailed Response: Within 7 business days
- Patch Release: As soon as feasible, based on severity
- Keep dependencies updated: Run
npm updateregularly - Review content: Understand what prompts/instructions do before using
- Use trusted sources: Only install collections from trusted repositories
- Report suspicious content: If you notice harmful prompts, report them
- Validate all inputs: Use provided validation scripts
- Avoid sensitive data: Don't include passwords, API keys, or secrets
- Review dependencies: Check for known vulnerabilities in dependencies
- Follow secure coding practices: Use established security patterns
- Input validation: Be aware of potential prompt injection scenarios
- Output filtering: Consider what your prompts might generate
- Context isolation: Understand how prompts interact with user input
- Code review: Review generated code for security issues
- Testing: Test generated code in safe environments first
- Validation: Validate generated code before use
- No personal data: Don't include personal or sensitive information in prompts
- Compliance: Follow relevant data protection regulations
- Minimal data: Use only necessary data in prompts
- Input validation: All YAML and markdown files are validated
- Schema validation: JSON schemas enforce structure constraints
- Content scanning: Automated checks for common security issues
- Access control: Repository permissions control who can modify content
- Regular updates: Dependencies are updated regularly
- Vulnerability scanning: Automated scanning for known vulnerabilities
- Minimal dependencies: We limit dependencies to reduce attack surface
- Source verification: Dependencies are sourced from trusted repositories
- No sensitive information (passwords, keys, personal data)
- No malicious or harmful instructions
- Code examples are safe and follow best practices
- External links are to trusted sources
- Dependencies are secure and up-to-date
- Enable security advisories on GitHub
- Configure Dependabot alerts
- Regular security reviews of content
- Monitor for security-related issues
- Keep documentation updated
- Dependency scanning: Automated checks for known vulnerabilities
- Content analysis: Automated scanning for security issues
- Access logs: Monitoring of repository access patterns
- Issue tracking: Security-related issues are prioritized
- Regular security reviews: Quarterly security assessments
- Code reviews: Security-focused review of all changes
- Content audits: Periodic review of all published content
- Community feedback: Monitor community reports of issues
| Level | Description | Response Time |
|---|---|---|
| Critical | Immediate danger to users | Within 4 hours |
| High | Significant security impact | Within 24 hours |
| Medium | Moderate security issue | Within 3 days |
| Low | Minor security issue | Within 7 days |
- Assessment: Evaluate the severity and impact
- Communication: Notify affected users if needed
- Mitigation: Implement temporary fixes if needed
- Resolution: Develop and test permanent fixes
- Disclosure: Coordinate public disclosure if needed
- Email: security@amadeus.com
- Slack: #security-team (if available)
- GitHub: @security-lead
- Primary: security@amadeus.com
- Backup: Contact any Trusted Committer privately
- Emergency: security@amadeus.com
- Security advisories: Published on GitHub
- Release notes: Security fixes noted in releases
- Email notifications: For critical issues
- Slack announcements: For internal teams
- Assessment: Evaluate impact and urgency
- Development: Create and test fixes
- Release: Publish security updates
- Notification: Inform users of required actions
- npm audit: Check for known vulnerabilities
- GitHub Dependabot: Automated dependency updates
- CodeQL: Code analysis for security issues
- Snyk: Security scanning for dependencies
We welcome security contributions:
- Report vulnerabilities responsibly
- Suggest improvements to our security practices
- Submit security-focused pull requests
- Participate in security discussions
Thank you for helping keep community-collections secure! π‘οΈ