Add a security policy
This commit is contained in:
parent
25ec319ec9
commit
10ff87c900
1 changed files with 64 additions and 0 deletions
64
SECURITY.md
Normal file
64
SECURITY.md
Normal file
|
|
@ -0,0 +1,64 @@
|
|||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
Only the latest version of happyDomain is supported with security fixes.
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | --------- |
|
||||
| latest | ✓ |
|
||||
| < latest| ✗ |
|
||||
|
||||
|
||||
## Scope
|
||||
|
||||
### In scope
|
||||
|
||||
- happyDomain application code (API/backend and web frontend)
|
||||
- Other websites directly operated by the happyDomain team: documentation, main website, blog, git redirection, downloads website, demo instance, insights
|
||||
|
||||
### Out of scope
|
||||
|
||||
- Vulnerabilities in third-party dependencies that are not directly exploitable in happyDomain
|
||||
- Social engineering attacks
|
||||
- Denial-of-service attacks requiring significant resources
|
||||
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you discover a security vulnerability in happyDomain, please report it privately.
|
||||
|
||||
By email: security@happydomain.org
|
||||
On GitHub: https://github.com/happydomain/happydomain/security/advisories
|
||||
On Gitlab: https://gitlab.com/happyDomain/happyDomain/-/issues/new (check Confidential issue before submitting)
|
||||
On Framagit: https://framagit.org/happyDomain/happyDomain/-/issues/new (check Confidential issue before submitting)
|
||||
|
||||
Please include:
|
||||
- description of the vulnerability
|
||||
- steps to reproduce
|
||||
- potential impact
|
||||
|
||||
|
||||
## Disclosure policy
|
||||
|
||||
We follow a responsible disclosure process.
|
||||
|
||||
After receiving a report we will:
|
||||
1. acknowledge within 72 hours
|
||||
2. investigate the issue
|
||||
3. prepare a fix
|
||||
4. publish a security advisory when the fix is available
|
||||
|
||||
|
||||
## Safe Harbor
|
||||
|
||||
We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:
|
||||
- Report vulnerabilities through the channels listed above
|
||||
- Avoid accessing, modifying, or deleting data that doesn't belong to them
|
||||
- Avoid degrading the availability of our services
|
||||
- Do not publicly disclose the vulnerability before a fix is available
|
||||
|
||||
|
||||
## Credits
|
||||
|
||||
We are happy to credit security researchers who responsibly disclose vulnerabilities.
|
||||
Loading…
Add table
Add a link
Reference in a new issue