Security at EPPlus Software
EPPlus Software is committed to transparency and responsible handling of security vulnerabilities. This section provides an overview of our security practices, including software composition, vulnerability scanning, and source code analysis.
Software Bill of Materials (SBOM)
We publish a Software Bill of Materials for every EPPlus release, listing all third-party dependencies with versions, licenses and checksums. SBOMs are available in CycloneDX JSON format.
Source Code Scanning
The EPPlus source code is continuously analyzed using GitHub CodeQL, which scans for potential security vulnerabilities and coding errors on every push to our main branches.
Security Policy
Our security policy describes supported EPPlus versions, how to report vulnerabilities privately, our patching and update process, and code signing practices. It also includes a history of previously disclosed vulnerabilities and their resolutions.