# Security Policy

## Supported Versions
We currently support the following versions of the library with security updates:

| Version | Supported |
|---------|-----------|
| 1.8.4   | ✅         |
| 1.8.3   | ✅         |
| 1.8.2   | ✅         |
| 1.8.1   | ✅         |
| 1.8.0   | ✅         |
| 1.7.2   | ✅         |
| 1.7.1   | ✅         |
| 1.7.0   | ✅         |
| 1.6.1   | ✅         |
| 1.6.0   | ✅         |
| 1.5.9   | ✅         |
| 1.5.8   | ✅         |
| 1.5.7   | ✅         |
| 1.5.6   | ✅         |
| 1.5.5   | ✅         |
| 1.5.4   | ✅         |
| 1.5.3   | ✅         |
| 1.5.2   | ✅         |
| 1.1.2   | ✅         |
| 1.1.1   | ✅         |
| 1.0.0   | ✅         |

If you are using an unsupported version, please consider upgrading to ensure you receive important security updates.

---

## Reporting a Vulnerability
We take the security of our project seriously. If you discover a security vulnerability, please do the following:
1. Do not report vulnerabilities publicly.  
   To protect users, please avoid discussing security issues in public forums (e.g., GitHub issues, social media, GitHub discussions, or pull requests).
2. Send an email to [security@apexclearing.com](mailto:security@apexclearing.com) with detailed information about the vulnerability.  
   Include the following:
   - A description of the issue.
   - The version of the library where the issue was found.
   - Steps to reproduce the behavior or a proof of concept (PoC).
   - Any potential mitigations you are aware of.
   - The following additional information would be useful for us to recreate the issue:
       - The category of the issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
       - Complete file paths of source files connected to the occurrence of the issue if available
       - The specific location of the affected source code (e.g., tag, branch, commit, or a direct URL)
       - Any unique configuration needed to replicate the issue
       - Detailed, step-by-step directions to reproduce the issue
       - A proof-of-concept or exploit code, if available
       - The potential impact of the issue, including possible ways an attacker could exploit it
3. We will acknowledge your report within 48 hours and provide a further more detailed update within 48 hours.
   - Confirm the problem and determine the affected versions.
   - Keep you informed of the progress towards resolving the problem and notify you when the vulnerability has been fixed.
   - Audit code to find any potential similar problems.
   - Affected users will be informed through our release notes and advisory notices.
   - Keep all communication confidential until we publish a fix and announce it responsibly.

---

## Vulnerability Disclosure Process
We follow a responsible disclosure process to ensure vulnerabilities are resolved safely and promptly:
1. We will identify the impact and severity of the issue and confirm the issue with the reporter
2. A patched version will be released, and a security advisory will be published.
3. Affected users will be informed through our release notes and advisory notices.

---

## General Security Guidance
- Make sure you are running the latest version of the library.
- Review the library's change logs and security advisories before upgrading.
- If applicable, follow our security advice at [developer.apexclearing.com ](http://developer.apexclearing.com).

---

## Acknowledgment
We appreciate and value the contributions from the security community. If you report a valid vulnerability, we are happy to credit you in our security advisory, unless you wish to remain anonymous.

---