Skip to content

Enhance SECURITY.md with comprehensive security policy #4633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jbogard merged 1 commit into from
Apr 23, 2026
+72 −0
Merged

Enhance SECURITY.md with comprehensive security policy #4633

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# Security Policy

## Supported Versions

Lucky Penny Software LLC maintains the latest major versions of its libraries.

Security updates are provided for:
- The current major version
- The previous major version

Versions outside of active maintenance may not receive security updates.

---

## Reporting a Vulnerability

If you believe you have identified a security vulnerability, please report it using GitHub’s private vulnerability reporting feature:

👉 Use the "Report a vulnerability" option in the Security tab of this repository.

This ensures reports are handled securely and privately.

If GitHub reporting is not available, you may contact:

📧 security@luckypennysoftware.com

Please include:
- A description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact

---

## Disclosure Process

Lucky Penny Software LLC follows a responsible disclosure process:

1. Vulnerabilities are reviewed and validated
2. Fixes are developed and tested
3. Updates are released via new package versions (e.g., NuGet)
4. Public disclosure is made via GitHub Security Advisories when appropriate

We aim to address critical vulnerabilities as quickly as practicable.

---

## Security Practices

Lucky Penny Software LLC develops distributed software libraries and does not operate a hosted service or process customer or financial data.

Security practices include:
- Dependency monitoring and vulnerability alerts (e.g., GitHub Dependabot)
- Review of security advisories and upstream disclosures
- Timely remediation of identified vulnerabilities
- Secure development practices and code review prior to release

---

## Scope

This security policy applies to:
- AutoMapper
- MediatR
- Other libraries maintained by Lucky Penny Software LLC

These libraries run within customer-controlled environments. Customers are responsible for securing their own applications and infrastructure.

---

## Additional Information

Lucky Penny Software LLC does not maintain formal certifications such as SOC 2 or ISO 27001. Security practices are implemented in alignment with industry best practices and are appropriate to the company’s size and service model.
Loading