Security at EPPlus Software
EPPlus Software is committed to transparency and responsible handling of security vulnerabilities. This section provides an overview of our security practices, including software composition, vulnerability scanning, and source code analysis.
Vulnerability Disclosure Policy
Our coordinated vulnerability disclosure policy describes how to report security vulnerabilities, what to expect from us, and how we handle reports. Established in accordance with the EU Cyber Resilience Act.
Supported Versions
Support lifecycle for each EPPlus major version, including active support and security support periods. Security updates are provided free of charge during the security support period.
Software Bill of Materials (SBOM)
We publish a Software Bill of Materials for every EPPlus release, listing all third-party dependencies with versions, licenses and checksums. SBOMs are available in CycloneDX JSON format.
Vulnerability Disclosures
Publicly disclosed vulnerabilities in EPPlus and its dependencies. Each entry has been reviewed by the EPPlus team and includes an assessment with recommended actions.
Vulnerability Scanning
EPPlus and its dependencies are regularly scanned for known vulnerabilities. Scan results, including CVE references and remediation status, are published for each supported version.
Source Code Scanning
The EPPlus source code is continuously analyzed using GitHub CodeQL, which scans for potential security vulnerabilities and coding errors on every push to our main branches.
