We take security seriously and actively maintain security updates for the following versions:

If you discover a security vulnerability in this package, please help us by reporting it responsibly.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

• Email: security@cerberus-iam.dev
• Subject: [SECURITY] Vulnerability in cerberus/laravel-iam

When reporting a security vulnerability, please include:

1. Description: A clear description of the vulnerability
2. Impact: Potential impact and severity
3. Steps to Reproduce: Detailed reproduction steps
4. Affected Versions: Which versions are affected
5. Mitigations: Any known workarounds or mitigations
6. Contact Information: How we can reach you for follow-up

1. Acknowledgment: We will acknowledge receipt within 48 hours
2. Investigation: We will investigate and validate the report
3. Fix Development: We will develop and test a fix
4. Disclosure: We will coordinate disclosure with you
5. Release: We will release the fix and security advisory

We follow responsible disclosure practices:

• We will keep you informed throughout the process
• We will credit you (if desired) in our security advisory
• We will not disclose details until a fix is available
• We will release fixes as quickly as possible

Security updates will be:

• Released as patch versions (e.g., 1.2.3 → 1.2.4)
• Documented in the CHANGELOG.md
• Announced via GitHub Security Advisories
• Tagged with appropriate security labels

When using this package:

1. Keep Dependencies Updated: Regularly update to the latest versions
2. Use HTTPS: Always configure HTTPS endpoints for OAuth
3. Secure Configuration: Store secrets securely (not in version control)
4. Monitor Logs: Monitor for unusual authentication patterns
5. Validate Inputs: Always validate and sanitize user inputs

For security-related questions or concerns:

• Email: security@cerberus-iam.dev
• Response Time: Within 48 hours for vulnerability reports