Stainless security considerations
Learn about our dependency security and how to report security issues.
Dependency security
Section titled “Dependency security”We take dependency security very seriously. We have systems and processes in place to scan, be alerted to, and update dependencies for all SDKs we generate. We seriously review alert reports and their associated CVEs and take rapid actions when necessary.
Automated Dependency Scanning
Section titled “Automated Dependency Scanning”We have an automated system set up performing dependency scanning. This system alerts us to any vulnerabilities identified in our dependencies.
Rapid Updates
Section titled “Rapid Updates”When a vulnerability is detected, we can quickly push an update to our codegen system to address the issue the next time a build is triggered. Dependency updates rely on the same release and versioning flow used for OpenAPI and Stainless config changes.
This ensures that the SDKs remain secure and up-to-date, as long as release PRs opened by Stainless are regularly merged.
We strongly recommend that you automate your OpenAPI updates, that way your SDKs are built regularly without any manual action on your part.
Add custom code
Section titled “Add custom code”While our systems will handle most cases, you may have the need to quickly address a vulnerability by yourself. In that situation you can always directly open a PR on your SDK repository, and merge it yourself. See our Add custom code docs for more details.
How to report a security issue
Section titled “How to report a security issue”Stainless takes security seriously, you are encouraged to report any security vulnerability promptly so that appropriate action can be taken.
Report an SDK security issue
Section titled “Report an SDK security issue”Please contact the Stainless team at security@stainless.com with detailed information. We will review and respond promptly.
Report a security issue related to a Stainless service
Section titled “Report a security issue related to a Stainless service”For example:
Please contact the Stainless team at security@stainless.com with detailed information. We will review and respond promptly.
Report a security issue related to a Stainless customer API
Section titled “Report a security issue related to a Stainless customer API”If you encounter security issues that are not directly related to SDKs generated by Stainless but pertain to the services or products provided by the company who owns and publish the SDK, please follow the respective company’s security reporting guidelines.
See the file SECURITY.md present in SDKs generated by Stainless for details.
Responsible Disclosure
Section titled “Responsible Disclosure”We appreciate the efforts of security researchers and individuals who help us maintain the security of SDKs we generate. If you believe you have found a security vulnerability, please adhere to responsible disclosure practices by allowing us a reasonable amount of time to investigate and address the issue before making any information public.
Thank you for helping us keep the SDKs and systems they interact with secure.