The security of this library is important to us, especially given its intended use by government agencies. We appreciate responsible disclosure of security vulnerabilities.

DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities by emailing:

• Primary: [security@adhocteam.us]
• Subject Line: "[SECURITY] USAi API Node.js Library - [Brief Description]"

Include the following information:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

When using this library in government environments:

1. Environment Variables: Always use environment variables for API keys
2. Network Security: Ensure TLS 1.2+ for all communications
3. Credential Rotation: Regularly rotate API keys and credentials
4. Audit Logging: Enable comprehensive logging for security audits
5. Access Control: Limit library usage to authorized personnel only
6. Updates: Keep the library updated to the latest secure version

This project implements comprehensive supply chain security measures:

• GuardDog Scanning: Automated detection of malicious packages, typosquatting, and supply chain attacks
• Dependency Auditing: Daily npm audit scans for known vulnerabilities
• License Compliance: Automated license checking against approved government licenses
• Secrets Detection: Continuous monitoring for exposed credentials
• Multi-layered Protection: npm audit, Snyk, CodeQL, and GuardDog provide complementary coverage

We use GuardDog to protect against:

• Malicious npm packages in dependencies
• Typosquatting attacks
• Code obfuscation and hidden payloads
• Unauthorized network communication
• Install script vulnerabilities
• Dependency confusion attacks

The scan runs automatically on:

• Every push to main branch that modifies dependencies
• Daily at 2 AM UTC
• Manual workflow dispatch

For federal agencies and government users:

• FedRAMP Compliance: Review against your agency's FedRAMP requirements
• ATO Process: Include this library in your Authority to Operate reviews
• FISMA Compliance: Ensure usage aligns with FISMA requirements
• Security Controls: Implement appropriate NIST 800-53 controls
• Incident Response: Include in your cybersecurity incident response plans

For non-security related questions, please use:

• GitHub Issues: For bugs and feature requests
• GitHub Discussions: For general questions

Thank you for helping keep this library secure! 🇺🇸