We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:

Please report (suspected) security vulnerabilities by opening a security advisory on GitHub. You will receive a response within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

When reporting a security vulnerability, please include:

• Type of vulnerability (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

• Do NOT include attachments - paste the content inline
• Do NOT share the vulnerability publicly until it has been addressed

Canon is a CLI tool that operates on local files. However, here are some security considerations:

• File Permissions: Ensure .canon/ directory has appropriate permissions (not world-writable)
• Input Validation: When using canon check, validate inputs from untrusted sources
• JSON Parsing: Canon validates JSON input, but be cautious with files from untrusted sources

• Dependencies: Keep dependencies up to date (Dependabot is configured)
• Input Validation: All user inputs are validated before processing
• Error Handling: Sensitive information is not exposed in error messages
• File System: Canon only reads from .canon/ directory, never writes outside it (except canon init)

When we receive a security bug report, we will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:

1. Confirm the problem and determine the affected versions
2. Audit code to find any potential similar problems
3. Prepare fixes for all releases still under maintenance
4. Release fixes as soon as possible

We believe in recognizing security researchers who help keep Canon secure. With your permission, we will:

• Credit you in the security advisory
• Add your name to our SECURITY.md file
• Mention you in the release notes (if you wish)

Thank you for helping keep Canon and our users safe!