Supported Versions

The crun-cli project provides security updates for the following versions:

Version	Supported
1.x.x	:white_check_mark:
0.x.x	:x:

Reporting a Vulnerability

If you discover a security vulnerability in crun-cli, we encourage responsible disclosure. To report a vulnerability:

1. Contact us via email at zouariomar20@gmail.com with the details.
2. Please provide a detailed description of the issue, including steps to reproduce it and, if available, a proof of concept.
3. We aim to respond within 48 hours and will work closely with you to resolve the issue.

We appreciate the security community's efforts in helping us maintain crun-cli’s safety and integrity.

Security Practices

crun-cli follows industry best practices for security to ensure safe transactions and protect user data:

1. Authentication and Authorization

• crun-cli uses secure methods for user authentication, including strong password hashing (e.g., bcrypt).
• Access control is implemented to restrict unauthorized actions.

2. Data Encryption

• All sensitive data is encrypted in transit (via HTTPS/TLS) and at rest, including user credentials and personal information.

3. SQL Injection Protection

• Parameterized queries and prepared statements are used throughout to prevent SQL injection.
• ORM (Object-Relational Mapping) is leveraged where possible.

4. Cross-Site Scripting (XSS) Prevention

• User inputs are sanitized and validated to prevent XSS attacks, and user-generated content is escaped to avoid code injection.

5. Cross-Site Request Forgery (CSRF) Protection

• CSRF tokens are included in forms and API requests to secure user actions.

6. Third-Party Dependency Management

• Dependencies are regularly scanned for vulnerabilities with tools such as OWASP Dependency-Check.
• Critical security patches for dependencies are applied promptly.

7. Secure Configuration

• Default settings follow secure configurations, and sensitive data is stored securely (e.g., .env files for environment-specific settings).

8. Content Security Policy (CSP)

• A strict CSP is enforced to limit content sources, reducing the risk of XSS and unauthorized resource loading.

9. Monitoring and Logging

• Logs are maintained for key operations and monitored for abnormal patterns. Logs avoid storing sensitive information.

Security Contributions

Contributors can help enhance crun-cli's security by following these practices:

• Adhere to secure coding standards and the above security practices when contributing.
• Conduct thorough security testing before submitting a pull request.
• Avoid including any sensitive data in code (e.g., passwords, API keys).

Resources

For additional guidance on secure development, refer to:

• OWASP Secure Coding Practices Checklist
• CWE Top 25 Most Dangerous Software Errors

Thank you for helping us make crun-cli secure for our users and the community!