The following versions of @juspay/kriya are currently supported with security updates:
| Version | Supported |
|---|---|
| X.x.x | ✅ |
| X.x.x | ✅ |
| < X.x | ❌ |
We take the security of @juspay/kriya seriously. If you discover a security vulnerability, please follow these guidelines:
Please DO NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Please report security vulnerabilities by emailing us at:
To help us triage and respond to your report quickly, please include:
- Description: A clear description of the vulnerability
- Impact: The potential impact of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Affected Versions: Which versions are affected
- Proof of Concept: Any code or screenshots demonstrating the vulnerability (if applicable)
- Suggested Fix: If you have suggestions for how to fix the vulnerability (optional)
We are committed to responding to security reports promptly:
| Action | Timeline |
|---|---|
| Initial Acknowledgment | Within 24 hours |
| Initial Assessment | Within 72 hours |
| Status Update | Every 5-7 days until resolved |
| Severity | Target Resolution Time |
|---|---|
| Critical | 24-48 hours |
| High | 7 days |
| Medium | 30 days |
| Low | 90 days |
Note: These timelines are targets. Actual resolution time may vary based on complexity.
When using @juspay/kriya, we recommend following these security best practices:
- Never commit API keys or secrets to version control
- Use environment variables or secure secret management solutions
- Rotate API keys regularly
- Use the minimum required permissions for API keys
- Store sensitive configuration in environment variables
- Use
.envfiles only for local development - Add
.envto your.gitignorefile - Use different credentials for development and production
- Keep all dependencies up to date
- Regularly run
npm auditor equivalent to check for vulnerabilities - Review dependency changes before updating
- Consider using a dependency scanning tool in your CI/CD pipeline
Stay informed about security updates:
- Watch Releases: Watch the repository for release notifications
- GitHub Security Advisories: Enable security alerts for the repository
- Release Notes: Review release notes for security-related changes
Security advisories for @juspay/kriya are published at:
https://github.com/juspay/kriya/security/advisories
You can also view known vulnerabilities at:
https://github.com/juspay/kriya/security
At this time, @juspay/kriya does not offer a paid bug bounty program. However, we deeply appreciate the efforts of security researchers and will:
- Acknowledge your contribution in our security advisories (with your permission)
- Provide credit in release notes for responsibly disclosed vulnerabilities
- Consider adding you to our security hall of fame
If you are interested in participating in security research for @juspay/kriya, please reach out to us at opensource@juspay.in.
For any security-related questions or concerns, please contact:
Email: opensource@juspay.in
For non-security related issues, please use the standard GitHub issue tracker.
We would like to thank all security researchers and community members who help keep @juspay/kriya and its users safe.
This security policy is inspired by industry best practices and the collaborative efforts of the open source security community.
This security policy was last updated on the date of the latest commit to this file.