This document outlines the security practices and considerations for the middlewarehq/middleware repository.

Reporting Security Vulnerabilities

We appreciate your help in keeping middleware secure. If you discover a security vulnerability, please report it responsibly by following these steps:

• Email: Send an email to security@middlewarehq.com.
• Include:
  • A detailed description of the vulnerability, including the affected components and potential impact.
  • Steps to reproduce the vulnerability (if possible), including any specific code snippets or configurations.
  • Any additional information that may help us understand and address the vulnerability.

We will respond to all security reports within 48 hours with a confirmation of receipt. We will work with you to understand the vulnerability and develop a plan for addressing it. This may involve fixing the vulnerability in the codebase, releasing a new version of the software, or providing a workaround.

Security Policy

We are committed to developing secure software. We follow industry best practices for secure coding and development. This includes:

• Regular code reviews: All code changes undergo thorough code reviews by experienced developers, looking for potential security vulnerabilities before they are merged into the main codebase.
• Dependency management: We use a dependency management tool (such as npm or yarn) to keep all third-party libraries up-to-date and address known vulnerabilities in dependencies. We prioritize using libraries with a good security track record.
• Secure coding practices: Our developers are trained in secure coding practices to help prevent common vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure direct object references (IDOR). We use static code analysis tools to identify potential security issues in the code.
• Security testing: We may conduct periodic security testing of the software using penetration testing tools or manual security assessments.

Security Disclosures

We are committed to responsible disclosure of security vulnerabilities. We will publicly disclose security vulnerabilities after we have had a reasonable opportunity to fix the vulnerability in a new software release. We will consider the severity of the vulnerability, the potential impact on users, and the ease of exploitation when making a disclosure decision. We will coordinate vulnerability disclosures with any third-party vendors whose software is affected.

Contributions

If you are contributing code to the middlewarehq/middleware repository, please be sure to follow these security guidelines:

• Review code for security vulnerabilities: Before submitting a pull request, review your code for potential security vulnerabilities. Consider using static code analysis tools to help you identify potential issues.
• Use secure coding practices: Follow secure coding practices to help prevent common vulnerabilities. Resources such as the OWASP Top 10 (https://owasp.org/www-project-top-ten/) can provide guidance on secure coding practices.
• Stay up-to-date on security vulnerabilities: Keep yourself informed about security vulnerabilities in the languages and libraries you are using. Subscribe to security advisories from relevant vendors and projects.

Additional Resources

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• GitHub Security Lab: https://securitylab.github.com/

We appreciate your help in keeping middleware secure!