| Version | Supported | Notes |
|---|---|---|
| 0.36.x | ✅ | Current development |
| 0.35.x | ✅ | Latest stable |
| < 0.35 | ❌ | End of life |
We recommend using the latest stable version for security updates.
Security vulnerabilities should NEVER be reported publicly.
Use GitHub's private vulnerability reporting: Report a vulnerability
Or email: security@qrun.io
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- QQQ version, Java version, OS details
| Stage | Timeline |
|---|---|
| Initial response | 24 hours |
| Assessment | 3 business days |
| Resolution | Based on severity |
This repository uses automated security scanning:
| Tool | Purpose | Status |
|---|---|---|
| CodeQL | Static analysis for vulnerabilities | Enabled |
| Dependabot | Dependency vulnerability alerts | Enabled |
| Secret Scanning | Detect leaked credentials | Enabled |
| Push Protection | Block commits with secrets | Enabled |
- Dependabot automatically creates PRs for vulnerable dependencies
- Security updates are prioritized and typically merged within 48 hours
- All dependencies are regularly audited
QQQ includes built-in security features:
- Authentication - Table-based, OAuth2, Auth0 support
- Authorization - Role-based access control with security keys
- Input Validation - Comprehensive sanitization
- Audit Logging - Configurable audit trails
- Password Hashing - PBKDF2 with SHA256 (100k iterations)
- All PRs require passing CodeQL analysis
- Dependencies must not introduce HIGH/CRITICAL vulnerabilities
- Secrets must never be committed (push protection enabled)
- Follow secure coding practices per CODE_STYLE.md
- Security issues: security@qrun.io
- General contact: contact@qrun.io
- Organization: QRun-IO