We actively support the following versions of open-lark:
| Version | Supported |
|---|---|
| 0.4.x | ✅ |
| 0.3.x | ✅ |
| < 0.3 | ❌ |
We take security vulnerabilities seriously. If you discover a security vulnerability in open-lark, please report it to us privately.
- Email: Send details to [zhooul@gmail.com] with subject "SECURITY: open-lark vulnerability"
- GitHub Security Advisory: Use GitHub's private vulnerability reporting feature
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes or mitigations
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Varies based on severity, typically within 30 days for critical issues
When using open-lark:
- API Keys: Never hardcode API keys in your source code
- Environment Variables: Use
.envfiles for sensitive configuration (excluded from version control) - HTTPS: Always use HTTPS endpoints when communicating with Lark/Feishu APIs
- Input Validation: Validate all user inputs before processing
- Error Handling: Avoid exposing sensitive information in error messages
We follow responsible disclosure practices:
- We will acknowledge receipt of your vulnerability report
- We will investigate and validate the reported vulnerability
- We will develop and test a fix
- We will coordinate the release of the fix
- We will publicly acknowledge your contribution (if desired)
Thank you for helping keep open-lark and its users safe!