We release patches for security vulnerabilities in the following versions:

We take security seriously. If you discover a security vulnerability, please follow these steps:

Security vulnerabilities should be reported privately to prevent exploitation.

1. Go to the Security tab
2. Click "Report a vulnerability"
3. Fill in the details

Send details to: [email protected]

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)
• Your contact information

1. Acknowledgment: We'll acknowledge receipt within 48 hours
2. Investigation: We'll investigate and determine severity
3. Fix: We'll work on a fix and keep you updated
4. Release: We'll release a patched version
5. Credit: You'll be credited (if desired) in the release notes

• Initial response: 48 hours
• Status update: 7 days
• Fix release: 30 days (for high severity)

# Use authentication
mongodb:
  username: "your-username"
  password: "strong-password"
  
# Don't expose MongoDB publicly
# Bind to localhost only in mongod.conf:
net:
  bindIp: 127.0.0.1

# Always use API keys
rest-api:
  enabled: true
  api-key: "generate-strong-random-key"
  
# Restrict by IP
  allowed-ips:
    - "127.0.0.1"
    - "your-server-ip"

# Restrict config file permissions
chmod 600 plugins/NetworkDataAPI/config.yml

• Keep dependencies updated
• Review dependency changes in PRs
• Use mvn dependency:tree to check for vulnerabilities

• All PRs require review
• Security-sensitive changes need extra scrutiny
• Run CodeQL scans before merging

• Never commit credentials
• Use environment variables for sensitive data
• Rotate API keys regularly

• Connection strings may contain credentials
• Config files should have restricted permissions
• Use encrypted connections when possible

• API keys transmitted in headers
• Consider using HTTPS in production
• Rate limiting not implemented (consider adding)

• Cached data is stored in memory
• Cache doesn't encrypt sensitive data
• Clear cache on plugin disable

Before deploying:

• MongoDB authentication enabled
• Strong passwords/API keys used
• Config file permissions restricted
• REST API IP whitelist configured
• Latest version installed
• Dependencies up to date
• Logs reviewed for suspicious activity

We appreciate security researchers who responsibly disclose vulnerabilities:

• No reports yet - be the first!

For security concerns:

• GitHub Security Advisories (preferred)
• Email: [email protected]

For general questions:

• GitHub Issues
• Discussions

Thank you for helping keep NetworkDataAPI secure! 🔒