Currently supported versions for security updates:

To report a security vulnerability, please follow these steps:

1. DO NOT create a public GitHub issue for security vulnerabilities
2. Send an email to: [email protected]
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact assessment
   • Any suggested fixes

You can expect:

• Acknowledgment within 48 hours
• Initial assessment within 1 week
• Regular updates on progress
• Credit in security advisories (if desired)

• GitHub Actions CI/CD: Automated security scanning on all PRs and commits
• OWASP Dependency Check: Automated vulnerability scanning of dependencies
• Dependabot: Automated security updates for dependencies
• Trivy Scanning: Container and filesystem vulnerability scanning
• TruffleHog: Secrets detection in code
• SonarCloud: Static code analysis for security issues

• Spring Boot BOM manages most dependency versions
• Security patches automatically applied via Dependabot
• OWASP suppressions file documents accepted risks during migration

Temporary Security Debt:

1. Legacy OAuth2: spring-security-oauth2:2.5.2 scheduled for replacement
2. Xerces XML: Direct dependency scheduled for removal
3. Compilation Errors: Some entity classes have compilation issues

Migration Timeline:

• Target completion: Q2 2025
• Security-first approach: Critical vulnerabilities addressed immediately
• All legacy dependencies will be replaced or removed

• OAuth2 implementation follows Green Button Alliance specifications
• JWT token handling for third-party access
• Retail customer data protection via authorization scopes

• Energy usage data encryption in transit
• Database connection security via Spring Boot configuration
• No hardcoded credentials in source code (verified by TruffleHog)

1. All security-related changes require 2+ reviewer approval
2. Dependency updates automatically tested for vulnerabilities
3. Static analysis results must be reviewed

1. Never commit secrets: Use environment variables or encrypted secrets
2. Validate all inputs: Especially XML parsing and database queries
3. Follow OWASP guidelines: For web application security
4. Test security features: Include security test cases in PRs

Run security scans locally:

# OWASP Dependency Check
mvn org.owasp:dependency-check-maven:check

# Check for outdated dependencies
mvn versions:display-dependency-updates

# Static analysis
mvn spotbugs:check

This library implements security measures specific to the Green Button ecosystem:

1. ESPI Authorization: OAuth2-based customer consent management
2. Data Scope Control: Fine-grained access control for energy data
3. Third-Party Isolation: Secure separation between data custodians and third parties

• Leverages Spring Security 6.x (post-migration) for authentication
• Role-based access control for retail customers and applications
• Secure REST API endpoints with proper authorization

In case of a security incident:

1. Immediate: Contact [email protected]
2. Assessment: Security team evaluates impact within 24 hours
3. Mitigation: Hotfix releases for critical vulnerabilities
4. Communication: Security advisories published on GitHub
5. Post-Incident: Security review and process improvements

For questions about this security policy, contact the Green Button Alliance security team.