We actively support the following versions of this project:
| Version | Supported |
|---|---|
| 1.x.x | β |
| < 1.0 | β |
If you discover a security vulnerability in this project, please report it responsibly:
- Email: Send details to singh@janpreet.com
- Subject: Use "SECURITY: [Brief Description]"
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes
- Vulnerability Type: Buffer overflow, injection, authentication bypass, etc.
- Affected Components: Calendar data, date parsing, web interface, etc.
- Reproduction Steps: Clear steps to reproduce the issue
- Impact Assessment: Potential consequences of the vulnerability
- Environment: Operating system, Node.js version, etc.
- Initial Response: Within 48 hours
- Triage: Within 1 week
- Fix Development: Varies by complexity
- Disclosure: After fix is released
This project handles religious calendar data, making accuracy critical:
- Data Tampering: Calendar data could be modified to show incorrect religious dates
- Source Validation: SGPC data sources should be verified for authenticity
- Automated Updates: GitHub Actions workflows should be secured against malicious PRs
- npm Packages: We regularly audit dependencies for vulnerabilities
- Automated Scanning: GitHub Dependabot monitors for security updates
- Manual Review: Critical dependencies are manually reviewed
- XSS Prevention: Calendar display should sanitize all user inputs
- CSP Headers: Content Security Policy should be implemented
- Input Validation: Date parsing should validate input formats
- npm Publishing: Automated publishing should be secured
- Code Signing: Consider signing releases for integrity verification
- Supply Chain: Monitor for unauthorized package modifications
- Never commit sensitive data (API keys, tokens, passwords)
- Use secure coding practices when handling date parsing
- Validate all inputs from external sources
- Follow the principle of least privilege in automation
- Keep dependencies updated and audit regularly
- Verify package integrity when installing
- Use official sources (npm, GitHub releases)
- Keep the package updated to latest stable version
- Report suspicious behavior immediately
- Calendar Data Manipulation: Incorrect religious dates could mislead users
- Code Injection: Malicious code in calendar data or dependencies
- Authentication Bypass: Unauthorized access to update mechanisms
- Date Parsing Issues: Buffer overflows or crashes from malformed dates
- Dependency Vulnerabilities: Security issues in third-party packages
- Information Disclosure: Leaking sensitive configuration or data
- Resource Exhaustion: DoS through calendar generation overload
- Privacy Concerns: Tracking or data collection in web interface
We follow responsible disclosure practices:
- Private Notification: Security issues are handled privately initially
- Coordinated Disclosure: Public disclosure after fix is available
- Credit: Security researchers are credited (if desired)
- CVE Assignment: Critical vulnerabilities may receive CVE numbers
Security patches will be:
- Prioritized: Released as soon as possible
- Clearly Marked: Tagged with security labels
- Documented: Include details about the fix
- Backwards Compatible: When possible, maintain API compatibility
- Primary: singh@janpreet.com
- GitHub: Create a private vulnerability report via GitHub Security tab
- Response Time: 48 hours maximum
- Safe Harbor: We won't take legal action against researchers who follow responsible disclosure
- Good Faith: Security research conducted in good faith is welcome
- Scope: This policy applies to the nanakshahi-ical project and related repositories
We appreciate security researchers who help keep this project secure:
No vulnerabilities reported yet.
Thank you for helping keep our calendar project secure! π