We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
If you discover a security vulnerability, please do not open a public issue. Instead, please report it privately:
- Email: [[email protected]] (replace with actual security contact)
- Subject: "Security Vulnerability in HERE Traffic SDK"
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
We will:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 7 days
- Keep you informed of our progress
- Credit you in the security advisory (if you wish)
- Never commit API keys to version control
- Use environment variables or secure credential stores
- Rotate API keys regularly
- Restrict API keys to trusted domains when possible
- Store credentials securely
- Never expose credentials in client-side code
- Use token refresh mechanisms
- Rotate credentials periodically
- Keep dependencies up to date
- Use HTTPS for all API requests
- Implement rate limiting on your side
- Monitor API usage for anomalies
- Review and audit API access regularly
When we receive a security bug report, we will:
- Confirm the issue and determine affected versions
- Develop a fix
- Release the fix in a timely manner
- Publicly disclose the vulnerability after the fix is available
We follow responsible disclosure practices and will credit researchers who report vulnerabilities responsibly.