| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ |
We take the security of the ForLoop Plugin seriously. If you believe you've found a security vulnerability, please follow these steps:
- DO NOT create a public GitHub issue for security vulnerabilities
- Email your findings to: security@forloop.cc
- Include the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)
- Your contact information
- Initial response: Within 48 hours
- Status update: Within 5 business days
- Resolution timeline: Depends on severity and complexity
When using the ForLoop Plugin:
-
Token Security
- Never commit API tokens to version control
- Use environment variables or secure token storage
- Rotate tokens regularly
- Use minimum required scopes
-
Plugin Updates
- Keep the plugin updated to the latest version
- Review changelog for security fixes
- Enable automatic updates when possible
-
Access Control
- Use organization-level tokens for team projects
- Limit token permissions to required scopes only
- Revoke unused or old tokens
The plugin implements the following security features:
- Token storage with restricted file permissions (0o600)
- API token validation before requests
- Support for scoped API tokens
- Secure token exchange for Lambda execution
- No sensitive data in logs
Check the security advisories page for past security issues and resolutions.
We appreciate responsible disclosure and will credit reporters (with permission) in our security advisories.
Thank you for helping keep the ForLoop Plugin secure!