If you discover a security vulnerability within SSG, please send an email to [email protected]. All security vulnerabilities will be promptly addressed.

Please do not open a public GitHub issue for security vulnerabilities.

When reporting a vulnerability, please include:

1. Description: A clear description of the vulnerability
2. Steps to reproduce: How can we reproduce the issue?
3. Impact: What is the potential impact?
4. Version: Which version of SSG is affected?

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Release: Within 30 days for critical issues

1. Keep SSG Updated: Always use the latest version
2. Validate Input: Sanitize content before processing
3. Review Templates: Audit custom templates for XSS vulnerabilities
4. Use HTTPS: Deploy generated sites over HTTPS
5. Content Security Policy: Configure appropriate CSP headers

1. Escape Output: Always escape user-provided content
2. Avoid Inline JS: Use external JavaScript files
3. Validate URLs: Check URLs before rendering links
4. Sanitize HTML: Use HTML sanitization for user content

SSG includes several security features:

• Path Traversal Protection: Prevents directory traversal attacks when extracting themes
• Content Escaping: HTML templates automatically escape content
• Secure Defaults: Safe configuration defaults
• No Eval: No dynamic code execution from templates

Security updates are released as patch versions (e.g., 1.4.1, 1.4.2). Subscribe to releases on GitHub to stay informed.

We appreciate security researchers who responsibly disclose vulnerabilities. Contributors will be acknowledged in release notes (unless they prefer to remain anonymous).