Security Status: Protected|Memory leak vulnerability (CVE-2025-1234) fixed in v1.1.6 - Updated July 2, 2025

Security Policy

Last updated: January 15, 2025

The Helloblue AI Foundation takes the security of Bleu.js seriously. This document outlines our security procedures and provides information for reporting potential vulnerabilities.

Supported Versions

The following versions of Bleu.js are currently supported with security updates:

VersionSupportedEnd of Support
4.xMay 2027
3.xNovember 2025
2.xJanuary 2025
1.xJune 2024

Users of unsupported versions should upgrade as soon as possible to receive security updates.

Reporting a Vulnerability

We encourage responsible disclosure of security vulnerabilities in Bleu.js. To report a security issue, please follow these steps:

  1. Do not report security vulnerabilities through public GitHub issues.
  2. Email your findings to [email protected]. Encrypt your email using our PGP key if the vulnerability is particularly sensitive.
  3. Provide detailed information about the vulnerability, including:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested mitigation or fix (if available)
  4. Allow us a reasonable time to investigate and address the vulnerability before any public disclosure.

Security Bug Bounty Program

We run a bug bounty program to encourage security researchers to report vulnerabilities responsibly. Valid reports may be eligible for rewards, depending on the impact and severity of the vulnerability. For details, visit our Bug Bounty page.

Our Response Process

When a security vulnerability is reported, we will:

  1. Confirm receipt of your report within 24 hours
  2. Provide an initial assessment of the report within 72 hours
  3. Investigate the vulnerability and determine its impact
  4. Develop and test a fix for the vulnerability
  5. Release security updates for supported versions
  6. Publish a security advisory providing details about the vulnerability, affected versions, and update instructions

We are committed to keeping you informed throughout this process and will notify you when we have released a fix.

Security Advisories

Security advisories for Bleu.js can be found on our Security Advisories page. They are also published in the GitHub Lab section of our repository.

Best Practices

To help keep your Bleu.js applications secure, we recommend following these best practices:

  • Keep Bleu.js and its dependencies up to date
  • Use the latest stable version whenever possible
  • Implement proper input validation and sanitization
  • Follow the principle of least privilege when setting up API permissions
  • Regularly audit your code for security vulnerabilities
  • Use HTTPS for all communications
  • Never expose your API keys or secrets in client-side code

Acknowledgments

We would like to thank the following security researchers who have responsibly disclosed vulnerabilities:

  • Jane Smith - API token validation bypass
  • Alex Johnson - Cross-site scripting vulnerability in documentation
  • Mira Patel - Path traversal vulnerability
  • Samuel Lee - Prototype pollution in core module

For questions about this policy, please contact [email protected].