We actively support the following versions of Espresso.js with security updates:
| Version | Supported | End of Life |
|---|---|---|
| 4.x | ✅ Yes | TBD |
| 3.3.x | 2025-06-01 | |
| < 3.3 | ❌ No | Ended |
We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues privately:
- Email: security@vimedev.com
- Subject:
[SECURITY] Espresso.js - Brief Description - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
Subject: [SECURITY] Espresso.js - [Brief Description]
**Vulnerability Type**: [e.g., XSS, SQL Injection, etc.]
**Affected Versions**: [e.g., 4.0.0, 3.3.6]
**Description**:
[Detailed description of the vulnerability]
**Steps to Reproduce**:
1. [Step 1]
2. [Step 2]
3. [Step 3]
**Impact**:
[What can an attacker do with this vulnerability?]
**Suggested Fix** (optional):
[Your recommendation]
**Reporter**: [Your name/handle]
**Contact**: [Your email]
- Initial Response: Within 48 hours
- Vulnerability Assessment: Within 5 business days
- Fix Development: Depends on severity (see below)
- Public Disclosure: After fix is released (coordinated with reporter)
| Severity | Response Time | Examples |
|---|---|---|
| Critical | 24-48 hours | Remote code execution, authentication bypass |
| High | 3-5 days | SQL injection, XSS, privilege escalation |
| Medium | 1-2 weeks | CSRF, information disclosure |
| Low | 2-4 weeks | Minor information leaks, DoS |
- Acknowledgment: We confirm receipt of your report
- Investigation: We verify and assess the vulnerability
- Fix Development: We develop and test a patch
- Coordinated Disclosure: We work with you on disclosure timing
- Release: We release a security patch
- Advisory: We publish a security advisory
- Credit: We credit you in the advisory (if desired)
Security advisories are published on:
- GitHub Security Advisories: https://github.com/misterzik/Espresso.js/security/advisories
- npm Advisory Database
- CHANGELOG.md with
[SECURITY]tag
Currently, we do not have a formal bug bounty program. However:
- We acknowledge security researchers in our CHANGELOG
- We provide credit in security advisories
- We may offer rewards for critical vulnerabilities on a case-by-case basis
For developers using Espresso.js, please refer to:
- ✅ Regular dependency updates
- ✅ Automated security scanning (npm audit)
- ✅ Code review for security issues
- ✅ Security-focused testing
- ✅ Prompt response to vulnerability reports
Espresso.js v4.0.0 includes:
- Helmet.js for secure HTTP headers
- express-mongo-sanitize for NoSQL injection prevention
- hpp for HTTP Parameter Pollution protection
- express-rate-limit for DDoS protection
- Input validation with express-validator
- Secure credential handling
See docs/SECURITY.md for detailed information.
Security issues in:
- Espresso.js core framework
- Built-in middleware
- Configuration handling
- Authentication/authorization helpers
- API enhancements
- SSR implementation
- Third-party dependencies (report to respective maintainers)
- User application code
- Deployment infrastructure
- Social engineering attacks
- Physical security
We follow coordinated disclosure:
- Reporter notifies us privately
- We confirm and investigate
- We develop a fix
- We coordinate disclosure timing with reporter
- We release the fix
- We publish advisory (typically 7 days after fix)
We request that reporters:
- Give us reasonable time to fix the issue
- Do not publicly disclose until we release a fix
- Do not exploit the vulnerability
We maintain transparency about past security issues:
- No known security vulnerabilities
- [FIXED] MongoDB credential exposure in connection string (v4.0.0)
- [FIXED] Weak CSP with unsafe-inline (v4.0.0)
- [FIXED] No NoSQL injection prevention (v4.0.0)
See CHANGELOG.md for complete history.
- Primary: security@vimedev.com
- GitHub: @misterzik
- Issues: https://github.com/misterzik/Espresso.js/issues (for non-security bugs only)
We thank the following security researchers for responsible disclosure:
- [Your name could be here!]
- OWASP Top 10
- Node.js Security Best Practices
- Express Security Best Practices
- npm Security Advisories
By reporting a security vulnerability, you agree to:
- Act in good faith
- Not exploit the vulnerability beyond what's necessary to demonstrate it
- Keep the vulnerability confidential until we release a fix
- Not demand payment or rewards
We commit to:
- Respond promptly to your report
- Keep you informed of our progress
- Credit you in the security advisory (if desired)
- Not take legal action against good-faith security research
Last Updated: January 15, 2024
Version: 4.0.0
Contact: security@vimedev.com