The meroedu team takes web security very seriously. This means regular updates to keep the application's dependencies up-to-date, detailed review process for every change made to the platform code, and immediate resolution of issues brought up by Github's automated security advisories.
This also means a clear policy on how to report vulnerabilities and receive updates when fixes for those vulnerabilities are released.
To report a security vulnerability, please send an email to medineshkatwal@gmail.com.
Your report will be acknowledged within 24 hours, and you’ll receive a more detailed response to your email within 48 hours indicating the next steps in handling your report.
After the initial reply to your report our team will endeavor to keep you informed of the progress being made towards a fix and full announcement. These updates will be sent at least once every week. In most cases, resolution of issues should take no more than 48 hours.
If you have not received a reply to your email within 48 hours, or have not heard from the meroedu team for the past week, there are a few steps you can take:
- Contact the lead developer (Dinesh Katwal) directly.
- Contact the developers on our Discord server.
Please note, the Discord server is a public area. When escalating the issue, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the development team.
- Security report received and is assigned a primary handler. This person will coordinate the fix and release process. The problem is confirmed, and code is audited to find any potential similar problems.
- A fix is prepared and held locally pending the announcement.
- A draft security advisory is prepared on Github, including details of the fix and advice on how to apply the fix.
- The security advisory and the fix is released to the public at the same time.
If you have any suggestions to improve this policy, please send an email to medineshkatwal@gmail.com.