We actively support the following versions of NativeFire with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ Active support |
| < 1.0 | ❌ Not supported |
We take security vulnerabilities seriously. If you discover a security vulnerability in NativeFire, please report it to us privately.
-
GitHub Security Advisories (Preferred)
- Go to the Security Advisories page
- Click "New draft security advisory"
- Fill out the form with vulnerability details
-
Email (Alternative)
- Send an email to: [email protected]
- Include "SECURITY" in the subject line
- Provide detailed information about the vulnerability
Please include the following information in your report:
- Description: A clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact: Potential impact and attack scenarios
- Affected Versions: Which versions are affected
- Proposed Fix: If you have suggestions for fixing the issue
- Proof of Concept: Code or commands demonstrating the vulnerability (if safe to share)
We aim to respond to security reports according to the following timeline:
- Initial Response: Within 24 hours
- Assessment: Within 72 hours
- Resolution: Varies based on severity and complexity
- Critical: 1-7 days
- High: 7-14 days
- Medium: 14-30 days
- Low: 30-90 days
- Report Received: We acknowledge receipt and begin assessment
- Verification: We verify and reproduce the vulnerability
- Assessment: We assess the impact and severity
- Development: We develop and test a fix
- Disclosure: We coordinate responsible disclosure
- Release: We release the security fix
- Advisory: We publish a security advisory (if applicable)
We use the following severity classifications:
- Remote code execution
- Privilege escalation to system administrator
- Large-scale data exposure
- Significant data exposure
- Authentication bypass
- Privilege escalation to application level
- Cross-site scripting (XSS)
- SQL injection with limited impact
- Information disclosure
- Minor information disclosure
- Issues requiring significant user interaction
- Theoretical vulnerabilities with no practical exploit
- We will respond to your report promptly and keep you updated
- We will not take legal action against security researchers who:
- Report vulnerabilities responsibly and privately
- Do not access more data than necessary to demonstrate the vulnerability
- Do not harm our systems or users
- Give us reasonable time to fix the issue before public disclosure
We appreciate security researchers who help keep NativeFire secure:
- We will acknowledge your contribution in our security advisory (unless you prefer to remain anonymous)
- We may feature your contribution in our release notes
- For significant findings, we may provide recognition on our website
To help protect yourself when using NativeFire:
- Keep Updated: Always use the latest version of NativeFire
- Verify Downloads: Only download NativeFire from official sources
- Review Permissions: Understand what permissions NativeFire requires
- Secure Environment: Use NativeFire in a secure development environment
- Firebase Security: Follow Firebase security best practices for your projects
NativeFire includes several security features:
- Dependency Validation: Checks for required external tools before execution
- Input Sanitization: Validates user inputs and file paths
- Minimal Permissions: Runs with minimal required permissions
- Secure Defaults: Uses secure configuration defaults
- No Secret Storage: Does not store sensitive information locally
Users should be aware of the following security considerations:
- Firebase CLI Authentication: NativeFire relies on Firebase CLI authentication
- File System Access: NativeFire modifies project files and directories
- Network Requests: NativeFire makes requests to Firebase APIs
- External Dependencies: NativeFire depends on external tools (Firebase CLI, etc.)
Security updates are distributed through:
- GitHub Releases: Security patches are released as new versions
- Package Managers: Updates are available through Homebrew, npm, etc.
- Security Advisories: Critical issues are announced via GitHub Security Advisories
- Release Notes: Security fixes are documented in release notes
For security-related questions or concerns:
- Security Email: [email protected]
- GitHub Security: https://github.com/clix-so/nativefire/security
- General Issues: https://github.com/clix-so/nativefire/issues (for non-security issues only)
Thank you for helping keep NativeFire and its users secure! 🔒