We actively support the following versions with security updates:
| Version | Supported | End of Support |
|---|---|---|
| 2.x.x | ✅ | Current |
| 1.x.x | ✅ | December 2025 |
| < 1.0 | ❌ | Unsupported |
We take the security of PRSMTECH projects seriously. If you discover a security vulnerability, please follow these steps:
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security vulnerabilities via email:
Email: admin@prsmtech.com
Subject Line: [SECURITY] Brief description of vulnerability
Please include the following information in your report:
- Description: A clear description of the vulnerability
- Impact: The potential impact of the vulnerability
- Affected Versions: Which versions are affected
- Steps to Reproduce: Detailed steps to reproduce the issue
- Proof of Concept: Code, screenshots, or other evidence (if applicable)
- Suggested Fix: Any recommendations for remediation (optional)
| Action | Timeline |
|---|---|
| Initial Response | Within 48 hours |
| Preliminary Assessment | Within 5 business days |
| Status Update | Every 7 days until resolved |
| Fix Implementation | Based on severity (see below) |
| Severity | Description | Target Resolution |
|---|---|---|
| Critical | Remote code execution, data breach, authentication bypass | 24-72 hours |
| High | Privilege escalation, significant data exposure | 7 days |
| Medium | Limited data exposure, XSS, CSRF | 30 days |
| Low | Minor information disclosure, DoS | 90 days |
At this time, PRSMTECH does not operate a formal bug bounty program with monetary rewards.
However, we deeply appreciate security researchers who responsibly disclose vulnerabilities. Researchers who submit valid reports will receive:
- Public acknowledgment (with permission) in our security advisories
- A letter of appreciation for their contribution
- Consideration for early access to new features and beta programs
We are exploring the possibility of a formal bug bounty program in the future. Updates will be posted to this policy.
- Never commit secrets: Use environment variables for API keys, tokens, and credentials
- Input validation: Always validate and sanitize user input
- Parameterized queries: Use prepared statements to prevent SQL injection
- Dependency management: Keep dependencies updated and audit regularly
- Error handling: Never expose stack traces or sensitive error details to users
- Use strong password hashing (bcrypt, argon2)
- Implement proper session management
- Apply principle of least privilege
- Use HTTPS for all connections
- Implement rate limiting on authentication endpoints
- Encrypt sensitive data at rest and in transit
- Minimize data collection and retention
- Implement proper access controls
- Log security-relevant events
- Follow data protection regulations (GDPR, CCPA as applicable)
- Use
.gitignoreto exclude sensitive files - Never use production data in development
- Implement pre-commit hooks for secret detection
- Use separate credentials for each environment
- Enable two-factor authentication on all accounts
Security updates and advisories will be communicated through:
- GitHub Security Advisories
- Direct email notification to affected users (when applicable)
- Updates to this SECURITY.md file
For security-related inquiries:
- Email: admin@prsmtech.com
- Response Hours: Monday-Friday, 9 AM - 6 PM EST
For non-security issues, please use the standard GitHub issue templates.
PRSMTECH Security Policy v1.0
Last Updated: December 2024