- Notifications
You must be signed in to change notification settings - Fork7.1k
Security: lodash/lodash
Security
SECURITY.md
The following table describes the versions of this project that are currentlysupported with security updates:
| Version | Supported |
|---|---|
| 4.x | ✅ |
| 3.x | ❌ |
| 2.x | ❌ |
| 1.x | ❌ |
To better understand which classes of vulnerabilities are considered in-scope or out-of-scope for Lodash, please review theLodash Threat Model.
The threat model defines Lodash’s trust boundaries and clarifies how security issues are assessed for triage and disclosure.
A responsible disclosure policy helps protect users of the project from publiclydisclosed security vulnerabilities without a fix by employing a process wherevulnerabilities are first triaged in a private manner, and only publicly disclosedafter a reasonable time period that allows patching the vulnerability and providesan upgrade path for users.
We kindly ask you to refrain from malicious acts that put our users, the project,or any of the project’s team members at risk.
We consider the security of Lodash a top priority. But no matter how much effortwe put into security, there can still be vulnerabilities present.
If you discover a security vulnerability, please report the security issuedirectly to the Lodash maintainers through theSecurity tab of the Lodashrepository.
Your efforts to responsibly disclose your findings are sincerely appreciated.
If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA atsecurity@lists.openjsf.org.
If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.