Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: [email protected]

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Response time: Within 48 hours
• Updates: Every 5 business days
• Resolution: We aim to patch critical issues within 7 days

• Security issues are embargoed until a fix is released
• Credit will be given to reporters (unless anonymity is requested)
• CVE IDs will be assigned for confirmed vulnerabilities

When using the CapiscIO Python SDK:

1. Keep dependencies updated

   pip install --upgrade capiscio-sdk

2. Use signature verification

   config = SecurityConfig(
       downstream=DownstreamConfig(verify_signatures=True)
   )

3. Enable rate limiting

   config = SecurityConfig(
       downstream=DownstreamConfig(enable_rate_limiting=True)
   )

4. Use strict mode in production

   config = SecurityConfig.strict()

5. Monitor logs for validation failures

   config = SecurityConfig(log_validation_failures=True)

• Uses cryptography library (audited, industry standard)
• Supports RS256, RS384, RS512 algorithms
• JWKS endpoints must use HTTPS

• In-memory implementation (single-server only)
• For distributed systems, use external rate limiter

• Validation results cached with TTL
• Cache keys include content hashes
• Invalidation on configuration changes

This project uses:

• Dependabot for dependency updates
• CodeQL for static analysis
• Safety for Python dependency checking

For security concerns: [email protected]