We take the security of React Native Components (RNC Theme) very seriously and are committed to protecting our users. This document outlines our security policy and how to report vulnerabilities that are discovered.

We provide security updates for the following versions:

• Current Major Version: Receives all security updates
• Previous Major Version: Receives critical security fixes for 6 months
• Older Versions: Do not receive security updates

IMPORTANT: Do not report security vulnerabilities through public GitHub Issues. This could endanger other users.

📧 Email: [email protected]
🔐 PGP Key: Download PGP Key

Use GitHub Security Advisory to report privately.

When reporting a vulnerability, please include:

**Vulnerability Type**: [e.g., XSS, Injection, etc.]
**Affected Component**: [e.g., Button, Input, etc.]
**Affected Versions**: [e.g., 1.0.0 - 1.2.0]
**Severity**: [Critical/High/Medium/Low]
**Description**: Detailed description of the vulnerability
**Steps to Reproduce**: 
1. Step 1
2. Step 2
3. Step 3

**Impact**: What can an attacker achieve?
**Proof of Concept**: Code or screenshots demonstrating the issue
**Suggested Fix**: If you have ideas for fixing
**Discoverer**: Your name/handle (for credit)

We are committed to responding to security reports with the following timeline:

1. Receipt & Confirmation

   • Security team receives report
   • Confirmation sent to reporter
   • Internal ticket created

2. Assessment & Triage

   • Verification and issue reproduction
   • Severity assessment (CVSS scoring)
   • Impact analysis

3. Development & Testing

   • Fix development
   • Security testing
   • Regression testing

4. Release & Disclosure

   • Security patch release
   • Coordinated disclosure
   • Public advisory (if needed)

• Remote code execution
• Privilege escalation
• Data breach potential
• Response: Immediate (24-48 hours)

• Significant data exposure
• Authentication bypass
• Cross-site scripting (XSS)
• Response: 3-7 days

• Information disclosure
• Denial of service
• CSRF vulnerabilities
• Response: 7-14 days

• Minor information leaks
• Low-impact issues
• Response: 14-30 days

We appreciate security researchers who help keep the project secure:

Currently we do not have a bug bounty program, but we provide:

• Public Recognition: Your name in the Hall of Fame
• CVE Credit: Credit in CVE if applicable
• Swag: RNC Theme merchandise (for critical findings)
• Early Access: Beta access to new features

# Always use the latest version
npm update rnc-theme

# Check for security advisories
npm audit

// Use secure configuration
import { RNCProvider } from 'rnc-theme';

const App = () => {
  return (
    <RNCProvider
      // Avoid exposing sensitive data in theme
      theme={{
        // ❌ Don't store API keys or secrets
        // apiKey: 'secret-key',
        
        // ✅ Use environment variables
        colors: {
          primary: process.env.EXPO_PUBLIC_PRIMARY_COLOR || '#007AFF'
        }
      }}
    >
      {/* Your app */}
    </RNCProvider>
  );
};

// Always validate user input
import { Input } from 'rnc-theme';
import { z } from 'zod';

const schema = z.string().max(100).regex(/^[a-zA-Z0-9\s]+$/);

const SecureInput = () => {
  const handleChange = (value: string) => {
    try {
      const validated = schema.parse(value);
      // Process validated input
    } catch (error) {
      // Handle validation error
    }
  };

  return (
    <Input
      onChangeText={handleChange}
      // Use secure text entry for passwords
      secureTextEntry={true}
    />
  );
};

• Use static analysis tools
• Review dependencies regularly
• Follow OWASP guidelines
• Implement proper error handling

• Security-focused code reviews
• Check for common vulnerabilities
• Validate input/output handling
• Review third-party dependencies

# Run security tests
npm run test:security

# Dependency audit
npm audit

# SAST scanning
npm run lint:security

• Dependabot: Automated dependency updates
• CodeQL: Static analysis scanning
• npm audit: Dependency vulnerability scanning
• ESLint Security: Security-focused linting rules

• Code review with security focus
• Penetration testing for major releases
• Third-party security audits (annually)

• OWASP Mobile Security
• React Native Security
• Node.js Security Best Practices

• npm audit
• Snyk
• ESLint Security Plugin

• Email: [email protected]
• PGP Key: Download
• Response Time: 24 hours

• GitHub: @maintainer
• Email: [email protected]

We follow responsible disclosure principles:

1. Coordination: Work with reporter on disclosure timeline
2. Transparency: Clear communication about progress
3. Credit: Provide appropriate credit to reporter
4. Protection: Protect users with quick patches

We will not take legal action against security researchers who:

• Report vulnerabilities responsibly
• Do not access unnecessary data
• Do not damage systems or data
• Provide reasonable time for fixes

Last Updated: [Date]
Version: 1.0
Contact: [email protected]

This document will be updated regularly to reflect the latest security practices.