NeoAnd/evolution-api
1
0
Fork 0
mirror of https://github.com/EvolutionAPI/evolution-api.git synced 2025-12-11 10:59:37 -06:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
dfea584aa7
evolution-api/SECURITY.md
Davidson Gomes 805f40c841 feat: add code quality tools and security policy 
- Configure Husky with pre-commit and pre-push hooks
- Add commitlint for conventional commit validation
- Create comprehensive security policy (SECURITY.md)
- Add GitHub Actions for security scanning and dependency review
- Create PR and issue templates for better collaboration
- Add Canny.io references for community feedback
- Fix path traversal vulnerability in /assets endpoint
- Create MySQL schema sync analysis tools
2025-09-17 15:05:17 -03:00

100 lines
3.0 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Security Policy
## Supported Versions
We actively support the following versions of Evolution API with security updates:
| Version | Supported |
| ------- | ------------------ |
| 2.3.x | ✅ Yes |
| 2.2.x | ✅ Yes |
| 2.1.x | ⚠️ Critical fixes only |
| < 2.1 | No |
## Reporting a Vulnerability
We take security vulnerabilities seriously. If you discover a security vulnerability in Evolution API, please help us by reporting it responsibly.
### 🔒 Private Disclosure Process
**Please DO NOT create a public GitHub issue for security vulnerabilities.**
Instead, please report security vulnerabilities via email to:
**📧 contato@evolution-api.com**
### 📋 What to Include
When reporting a vulnerability, please include:
- **Description**: A clear description of the vulnerability
- **Impact**: What an attacker could achieve by exploiting this vulnerability
- **Steps to Reproduce**: Detailed steps to reproduce the issue
- **Proof of Concept**: If possible, include a minimal proof of concept
- **Environment**: Version of Evolution API, OS, Node.js version, etc.
- **Suggested Fix**: If you have ideas for how to fix the issue
### 🕐 Response Timeline
We will acknowledge receipt of your vulnerability report within **48 hours** and will send you regular updates about our progress.
- **Initial Response**: Within 48 hours
- **Status Update**: Within 7 days
- **Resolution Timeline**: Varies based on complexity, typically 30-90 days
### 🎯 Scope
This security policy applies to:
- Evolution API core application
- Official Docker images
- Documentation that could lead to security issues
### 🚫 Out of Scope
The following are generally considered out of scope:
- Third-party integrations (Chatwoot, Typebot, etc.) - please report to respective projects
- Issues in dependencies - please report to the dependency maintainers
- Social engineering attacks
- Physical attacks
- Denial of Service attacks
### 🏆 Recognition
We believe in recognizing security researchers who help us keep Evolution API secure:
- We will acknowledge your contribution in our security advisories (unless you prefer to remain anonymous)
- For significant vulnerabilities, we may feature you in our Hall of Fame
- We will work with you on coordinated disclosure timing
### 📚 Security Best Practices
For users deploying Evolution API:
- Always use the latest supported version
- Keep your dependencies up to date
- Use strong authentication methods
- Implement proper network security
- Monitor your logs for suspicious activity
- Follow the principle of least privilege
### 🔄 Security Updates
Security updates will be:
- Released as patch versions (e.g., 2.3.1 2.3.2)
- Documented in our [CHANGELOG.md](./CHANGELOG.md)
- Announced in our community channels
- Tagged with security labels in GitHub releases
## Contact
For any questions about this security policy, please contact:
- **Email**: contato@evolution-api.com
---
Thank you for helping keep Evolution API and our community safe! 🛡
Reference in New Issue View Git Blame Copy Permalink