Security Policy

Reporting Security Vulnerabilities

If you discover a security vulnerability in pain001, please email security@pain001.com instead of using the issue tracker.

Please include:

We will acknowledge receipt within 48 hours and provide updates on remediation timeline.

Pain001 adheres to OWASP Top 10 prevention practices:

Input Validation: All untrusted inputs validated for type, length, format, range
Secrets Protection: No credentials hardcoded; environment variables required
XXE Prevention: Uses defusedxml exclusively, never xml.etree.ElementTree
SQL Protection: Parameterized queries used; no string formatting
Deserialization: JSON only for untrusted data; never pickle
Network Security: TLS verification mandatory; explicit timeouts on all requests
Cryptography: AES-256, SHA-256+, bcrypt/argon2 for passwords

Weekly Dependabot scans for CVEs
Security updates prioritized: critical (7 days), high (30 days), medium (60 days)
Transitive dependency auditing with poetry show --tree
SBOM generation via CycloneDX for supply chain transparency

The project uses Codecov for coverage tracking. To enable Codecov in your fork:

Note: The Codecov token (AaUxKfRiou) is stored in the badge URL for public repositories. For private repos, use GitHub Secrets:

# In GitHub Settings → Secrets → New repository secret
CODECOV_TOKEN=<your-codecov-token>

Email: security@pain001.com
GitHub Issues: https://github.com/sebastienrousseau/pain001/security/advisories
GitHub Discussions: https://github.com/sebastienrousseau/pain001/discussions