Security Policy
Updated November 2024
This security policy outlines the procedures for handling security vulnerabilities and maintaining the security of the software following OWASP security principles.
1. SUPPORTED VERSIONS
Below are the versions of the software currently receiving security updates:
2025.1
Full Support
Current
Future versions will be announced with their respective support periods. Legacy versions will be listed here when available.
2. SECURITY COVERAGE
Security support is provided for:
All unmodified components within the Packages Directory
Core APIs and interfaces as documented
Authentication and authorization systems
Data handling routines in unmodified code
Limited or no security coverage is available for:
Modified components in the Packages Directory
Custom code outside the Packages Directory
Third-party integrations
Custom deployment configurations
3. REPORTING A VULNERABILITY
We take all security vulnerabilities seriously. Please follow these steps to report a security issue:
DO NOT report security vulnerabilities through public GitHub issues
Email security@novel.dev with detailed information
Include the following information in your report:
Type of vulnerability
Full path to source file(s)
Step-by-step reproduction instructions
Impact of the vulnerability
Suggested fix (if available)
4. DISCLOSURE POLICY
Our disclosure process follows these principles:
Reporter receives confirmation within 48 hours
Issue is verified and assessed within 7 days
Fix development begins for verified issues
Security advisory is published once patch is ready
Public disclosure after customers have update window
5. SECURITY UPDATE PROCESS
Security updates follow OWASP risk assessment methodology:
Critical vulnerabilities: 24-48 hour response
High severity: 1 week response
Medium severity: 2 week response
Low severity: Next scheduled release
6. OWASP SECURITY PRINCIPLES
Our security implementation follows OWASP principles:
Defense in Depth
Principle of Least Privilege
Secure by Default
Fail Securely
Security Through Design
Input Validation and Output Encoding
Keep Security Simple (KISS)
7. SECURITY FEATURES
The software implements OWASP recommended security controls:
Strong Authentication System
Role-based Access Control (RBAC)
API Rate Limiting
Comprehensive Input Validation
XSS Protection
CSRF Protection
SQL Injection Prevention
Security Headers
Audit Logging
Secure Session Management
8. SECURITY BEST PRACTICES
We recommend following these OWASP-aligned practices:
Regular dependency updates
Security feature enablement as documented
Environment variable usage for sensitive data
Rate limiting implementation
Audit logging enablement
Security scanning integration
Access control implementation
Secure communication protocols
9. INCIDENT RESPONSE
In case of a security incident:
Isolate affected systems
Report to security@novel.dev
Preserve logs and evidence
Wait for response team instructions
Document all actions taken
10. SECURITY MONITORING
We recommend implementing:
System activity monitoring
Error and access log monitoring
Failed authentication monitoring
API usage monitoring
Database access monitoring
11. SECURITY ASSESSMENTS
We conduct annual security assessments including:
Third-party penetration testing
Professional security code audit
Automated security scanning
Dependency vulnerability monitoring
Architecture security reviews
Results of these assessments inform our security roadmap and improvements. Details about our latest security audit can be requested by verified customers.
12. MODIFICATION OF POLICY
This security policy may be updated from time to time. Check the version number and modification date to ensure you have the latest version.
Last updated
Was this helpful?