# Security Policy Thank you for taking an interest in the security of **adof** (Automatic Dotfile Organizer Friend)! This document outlines our security practices and how to report vulnerabilities to help keep adof secure for all users. ## Supported Versions We actively maintain the latest stable release of adof. For any older versions, we highly recommend updating to the latest version to receive security updates and improvements. | Version | Supported | | ------- | ------------------ | | latest | :white_check_mark: | | < latest | :x: | ## Reporting a Vulnerability If you discover a security vulnerability, please report it as soon as possible. Here’s how to proceed: 1. **Email Me**: Send an email to [fnabinash@gmail.com] with the subject line "Security Vulnerability Report for adof." In your message, include: - A detailed description of the vulnerability. - Steps to reproduce the issue. - Any potential impact or risk you believe the vulnerability may present. 2. **Security-Only Repository**: Do not open a GitHub issue to discuss vulnerabilities, as this may expose the vulnerability to the public before it’s fixed. 3. **Encryption**: If you prefer encrypted communication, please reach out to us, and we’ll provide a public PGP key. We appreciate responsible disclosure and will work with you to address and resolve the issue promptly. ## Security Practices To help keep your usage of adof secure, please follow these best practices: 1. **Access Control**: - Run adof only with the necessary permissions. - Avoid running adof with elevated privileges unless absolutely necessary. 2. **Sensitive Data Handling**: - Avoid tracking or deploying files that contain sensitive information, like passwords or personal keys. - If you do need to track sensitive files, use adof’s planned encryption features to protect their contents. 3. **Authentication**: - When linking adof to a GitHub repository, ensure that your credentials or tokens are secure and have the appropriate access scope. - Rotate any tokens used with adof regularly, especially if you use automated tasks like `auto_update`. 4. **Updates**: - Enable auto-updates to ensure you’re always using the latest, most secure version of adof. - Regularly check the release notes for security patches and new features. 5. **Reporting Other Issues**: - For non-security issues, like bugs or feature requests, feel free to open an issue in the GitHub repository. - For further assistance, please contact me at [fnabinash@gmail.com]. ## Security Response Process Upon receiving a security report, we will follow these steps: 1. Acknowledge receipt of the report within 48 hours and begin an internal investigation. 2. Work to identify and implement a fix for the issue. 3. Test the fix to ensure it resolves the issue without introducing new vulnerabilities. 4. Release a patch or update if necessary, and credit the reporter if they wish to be acknowledged. ## Contact Us For further questions about adof’s security, please reach out to me at [fnabinash@gmail.com]. --- Thank you for helping me make adof safe and secure for everyone!