Security at EPPlus Software
EPPlus Software is committed to transparency and responsible handling of security vulnerabilities. This section provides an overview of our security practices, including software composition, vulnerability scanning, and source code analysis.
Vulnerability Management
Vulnerability Disclosure Policy
Our coordinated vulnerability disclosure policy describes how to report security vulnerabilities, what to expect from us, and how we handle reports. Established in accordance with the EU Cyber Resilience Act.
Vulnerability Disclosures
Publicly disclosed vulnerabilities in EPPlus and its dependencies. Each entry has been reviewed by the EPPlus team and includes an assessment with recommended actions.
Vulnerability Scanning
EPPlus and its dependencies are regularly scanned for known vulnerabilities. Scan results, including CVE references and remediation status, are published for each supported version.
Source Code Scanning
The EPPlus source code is continuously analyzed using GitHub CodeQL, which scans for potential security vulnerabilities and coding errors on every push to our main branches.
Product Information
Security Profile
What EPPlus is, how it runs, and what it is responsible for. Includes architectural profile and guidance for customer security assessments.
Supported Versions
Support lifecycle for each EPPlus major version, including active support and security support periods. Security updates are provided at no additional cost during the security support period. Eligibility for commercial use requires a current or previously held commercial license covering the major version.
Supply Chain Integrity
Code Signing
Every EPPlus release is digitally signed with a code-signing certificate issued by GlobalSign. All assemblies across all supported target frameworks — as well as the NuGet package itself — are signed as part of our automated release pipeline.
Software Bill of Materials (SBOM)
We publish a Software Bill of Materials for every EPPlus release, listing all third-party dependencies with versions, licenses and checksums. SBOMs are available in CycloneDX JSON format.