Skip to content

Security Policy

Supported Versions

We actively support the following versions with security updates:

Version Supported
0.6.x :white_check_mark:
< 0.6 :x:

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

How to Report

Do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

  1. GitHub Security Advisories (Preferred)
  2. Go to the Security Advisories page
  3. Click "New draft security advisory"

  4. Fill in the details and submit

  5. Email

  6. Send details to the repository maintainers
  7. Include "SECURITY" in the subject line

What to Include

Please include the following information in your report:

  • Description: A clear description of the vulnerability
  • Impact: The potential impact of the vulnerability
  • Steps to Reproduce: Detailed steps to reproduce the issue
  • Affected Versions: Which versions are affected
  • Suggested Fix: If you have one (optional)

What to Expect

  • Acknowledgment: We will acknowledge receipt within 48 hours
  • Initial Assessment: We will provide an initial assessment within 7 days
  • Resolution Timeline: We aim to resolve critical issues within 30 days
  • Credit: We will credit reporters in the security advisory (unless you prefer to remain anonymous)

Scope

This security policy applies to:

  • The jquantstats Python package and its public API
  • GitHub Actions workflows provided by this repository
  • The REST API (api/)

Out of Scope

The following are generally out of scope:

  • Vulnerabilities in upstream dependencies (report these to the respective projects)
  • Issues that require physical access to a user's machine
  • Social engineering attacks
  • Denial of service attacks that require significant resources

Security Measures

This project implements several security measures:

Code Scanning

  • CodeQL: Automated code scanning for Python and GitHub Actions
  • Bandit: Python security linter integrated in CI and pre-commit
  • pip-audit: Dependency vulnerability scanning

Supply Chain Security

  • SLSA Provenance: Build attestations for release artifacts (public repositories only)
  • Locked Dependencies: uv.lock ensures reproducible builds
  • Renovate: Automated dependency updates with security patches

Release Security

  • OIDC Publishing: PyPI trusted publishing without stored credentials
  • Signed Commits: GPG signing supported for releases
  • Tag Protection: Releases require version tag validation

Security Best Practices for Users

When using jquantstats in your projects:

  1. Pin your dependencies: Always commit uv.lock or equivalent for reproducible builds
  2. Keep Updated: Upgrade to the latest jquantstats release to receive security patches
  3. Enable Dependabot: Enable Dependabot in your repositories to catch vulnerable transitive dependencies
  4. Configure Branch Protection: Require PR reviews and status checks

Acknowledgments

We thank the security researchers and community members who help keep jquantstats secure.