We take the security of hyperfrontend seriously. If you discover a security vulnerability, please help us protect our users by following responsible disclosure practices.
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities directly via email to:
andrew.redican.mejia@gmail.com
To help us understand and resolve the issue quickly, please include the following information in your report:
- Description: A clear description of the vulnerability
- Impact: The potential impact and severity of the issue
- Reproduction Steps: Detailed steps to reproduce the vulnerability
- Environment: The version of hyperfrontend affected, browser/Node.js version, operating system, etc.
- Proof of Concept: If possible, include a minimal code example or proof of concept
- Suggested Fix: If you have ideas on how to fix the issue (optional)
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 2 business days
- Initial Assessment: We will provide an initial assessment within 5 business days
- Patch Development: We aim to develop and test a patch within 10 days of acknowledgment
- Public Disclosure: Please allow at least 10 days from the initial report before making the vulnerability publicly known
This grace period gives us time to:
- Verify and reproduce the issue
- Develop and test a fix
- Release a patched version
- Notify users to update their dependencies
We believe in coordinated disclosure and appreciate your cooperation in:
- Not exploiting the vulnerability beyond what is necessary to demonstrate it
- Not accessing, modifying, or deleting data that doesn't belong to you
- Allowing us reasonable time to address the issue before public disclosure
- Making a good faith effort to avoid privacy violations, data destruction, and service interruption
Once the vulnerability is patched and publicly disclosed, we will acknowledge your responsible disclosure in:
- Our release notes
- Our security advisories (if applicable)
- This SECURITY.md file (with your permission)
Thank you for helping keep hyperfrontend and its users safe!
When using hyperfrontend in your applications:
- Keep Dependencies Updated: Regularly update to the latest version to receive security patches
- Content Security Policy: Implement appropriate CSP headers when embedding features
- Input Validation: Validate and sanitize all data passed between features
- Origin Verification: Always verify the origin of messages in cross-frame communication
- Authentication: Implement proper authentication and authorization for sensitive features
- HTTPS: Always serve hyperfrontend features over HTTPS in production
Security updates will be released as patch versions and documented in the CHANGELOG and GitHub Security Advisories.
We currently provide security updates for:
| Version | Supported |
|---|---|
| 0.0.x | ✅ |
As the project matures, we will update this table to reflect our long-term support policy.