# Security Policy / 安全政策 **English** | [中文](#安全政策-1) ## Supported Versions We provide security updates for the following versions: | Version | Supported | | ------- | ------------------ | | 2.x.x | :white_check_mark: | | 1.x.x | :x: | ## Reporting a Vulnerability If you discover a security vulnerability, please report it through the following channels: ### Reporting Channels - **GitHub Security Advisories**: [Report a vulnerability](https://github.com/esengine/esengine/security/advisories/new) (Recommended) - **Email**: security@esengine.dev ### Reporting Guidelines 1. **Do NOT** report security vulnerabilities in public issues 2. Provide a detailed description of the vulnerability, including: - Affected versions - Steps to reproduce - Potential impact - Suggested fix (if available) ### Response Timeline - **Acknowledgment**: Within 72 hours - **Initial Assessment**: Within 1 week - **Fix Release**: Typically within 2-4 weeks, depending on severity ### Process 1. We will confirm the existence and severity of the vulnerability 2. Develop and test a fix 3. Release a security update 4. Publicly disclose the vulnerability details after the fix is released ## Security Best Practices When using ESEngine, please follow these security recommendations: - Always use the latest stable version - Regularly update dependencies - Disable debug mode in production - Validate all external input data - Do not store sensitive information on the client side --- # 安全政策 [English](#security-policy--安全政策) | **中文** ## 支持的版本 我们为以下版本提供安全更新: | 版本 | 支持状态 | | ------- | ------------------ | | 2.x.x | :white_check_mark: | | 1.x.x | :x: | ## 报告漏洞 如果您发现了安全漏洞,请通过以下方式报告: ### 报告渠道 - **GitHub 安全公告**: [报告漏洞](https://github.com/esengine/esengine/security/advisories/new)(推荐) - **邮箱**: security@esengine.dev ### 报告指南 1. **不要**在公开的 issue 中报告安全漏洞 2. 提供详细的漏洞描述,包括: - 受影响的版本 - 复现步骤 - 潜在的影响范围 - 如果可能,提供修复建议 ### 响应时间 - **确认收到**: 72小时内 - **初步评估**: 1周内 - **修复发布**: 根据严重程度,通常在2-4周内 ### 处理流程 1. 我们会确认漏洞的存在和严重程度 2. 开发修复方案并进行测试 3. 发布安全更新 4. 在修复发布后,会在相关渠道公布漏洞详情 ## 安全最佳实践 使用 ESEngine 时,请遵循以下安全建议: - 始终使用最新的稳定版本 - 定期更新依赖项 - 在生产环境中禁用调试模式 - 验证所有外部输入数据 - 不要在客户端存储敏感信息 感谢您帮助保持 ESEngine 的安全性! Thank you for helping keep ESEngine secure!