We release patches for security vulnerabilities in the following versions:

We take the security of GitHub Repository Analyzer seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Send an email to the maintainer via GitHub: @valorisa

Include the following information:

• Type of vulnerability (e.g., authentication bypass, information disclosure, code injection)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
• Investigation: We will investigate and validate the vulnerability within 5 business days
• Updates: We will keep you informed of our progress
• Resolution: We will release a fix as soon as possible, depending on complexity
• Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)

When using GitHub Repository Analyzer:

• Never commit tokens to version control
• Use environment variables or secure secret management systems
• Generate fine-grained tokens with minimum required permissions
• Rotate tokens regularly (recommended: every 90 days)
• Revoke tokens immediately if compromised

• Validate all inputs before passing to GitHub API
• Use HTTPS for all API communications (enforced by default)
• Respect rate limits to avoid service disruption
• Monitor token usage in CI/CD pipelines

• Don't log sensitive data (tokens, private repository contents)
• Sanitize output before sharing publicly
• Be cautious with exported data - CSV/JSON files may contain private information
• Use read-only tokens when analysis doesn't require write access

• Tokens are passed via environment variables (GITHUB_TOKEN)
• Tokens are never logged in verbose mode
• Configuration files (~/.github-stats.yaml) should have restricted permissions (600)

• The tool respects GitHub's rate limits to prevent service abuse
• Automatic retry logic prevents denial-of-service scenarios
• --dry-run mode allows testing without consuming quota

• All dependencies are pinned with version constraints in requirements.txt
• Dependabot monitors for known vulnerabilities
• Regular security audits with bandit and safety

When we receive a security bug report, we will:

1. Confirm the problem and determine affected versions
2. Audit code to find similar problems
3. Prepare fixes for all supported versions
4. Release security patches as soon as possible

We will coordinate disclosure timing with the reporter to ensure users have time to update before public disclosure.

Security updates are released as patch versions (e.g., 1.0.1 → 1.0.2) and include:

• Security advisory on GitHub
• CHANGELOG.md entry with severity level
• Git tag with security fix
• PyPI release with updated version

Users are strongly encouraged to update to the latest version immediately when security patches are released.

For any security-related questions or concerns, please contact the maintainer: @valorisa