We take security seriously. If you discover a security vulnerability, please report it responsibly.

1. Do NOT open a public issue for security vulnerabilities
2. Email the maintainer directly or create a private security advisory
3. Include as much detail as possible:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Resolution Timeline: Depends on severity, typically 2-4 weeks

• We'll work with you to understand and resolve the issue
• We'll keep you updated on our progress
• Once fixed, we'll publicly acknowledge your contribution (unless you prefer otherwise)

When using dropup:

1. Validate file types server-side - Don't rely solely on client-side validation
2. Set appropriate file size limits - Prevent DoS through large uploads
3. Use HTTPS - Always upload over secure connections
4. Sanitize filenames - Use our commonRules.safeFileName validator
5. Verify MIME types - Use commonRules.extensionMatchesMime validator
6. Implement authentication - Protect upload endpoints appropriately

• dropup validates files on the client side, but server-side validation is essential
• Always validate file types, sizes, and content on your server
• Consider virus scanning for uploaded files

• Preview URLs are created using URL.createObjectURL() which is safe
• Always sanitize any user-provided metadata before rendering

• When using presigned URLs, ensure proper CORS configuration
• Limit allowed origins to your application domains

dropup has minimal dependencies:

• Peer dependency: React >= 16.8
• Optional: tus-js-client (for resumable uploads)

We regularly audit and update dependencies for security patches.