We actively support the following versions of infra-cost with security updates:

We take the security of infra-cost seriously. If you discover a security vulnerability, please follow these steps:

Do NOT create a public GitHub issue for security vulnerabilities.

Instead, please report security vulnerabilities privately:

1. Email: security@codecollab.co
2. Subject: "Security Vulnerability in infra-cost"
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 24 hours
• Initial Assessment: Within 72 hours
• Fix Development: Within 7 days for critical issues
• Public Disclosure: After fix is released (coordinated disclosure)

When using infra-cost, please follow these security practices:

• Never commit AWS credentials or API keys to version control
• Use IAM roles when running on AWS infrastructure
• Regularly rotate access keys
• Use least-privilege access principles

• Keep infra-cost updated to the latest version
• Use secure networks when accessing cloud APIs
• Audit your cloud provider permissions regularly

• Be aware that cost data might contain sensitive information
• Use secure channels when sharing reports
• Consider data retention policies for exported reports

We appreciate security researchers who help keep infra-cost secure:

infra-cost includes the following security features:

• No data persistence: Cost data is not stored locally by default
• Read-only permissions: Only requires read access to cost APIs
• Secure authentication: Supports multiple secure authentication methods
• Audit logging: Optional audit trail for compliance requirements

For security-related questions or concerns:

• Security Email: security@codecollab.co
• General Issues: GitHub Issues
• Website: https://codecollab.co

Last updated: October 2024