We take security issues seriously and appreciate your efforts to responsibly disclose any vulnerabilities you find.

1. Do not create a public GitHub issue for security vulnerabilities
2. Email your findings to [INSERT SECURITY EMAIL] with the subject line: [SECURITY] Vulnerability in Civil-War-General
3. Include the following information in your report:
   • Description of the vulnerability
   • Steps to reproduce the issue
   • Impact of the vulnerability
   • Any potential mitigations or workarounds
   • Your name/handle for credit (optional)

• We will acknowledge receipt of your report within 3 business days
• We will keep you informed about the progress toward fixing the vulnerability
• We will credit you for your discovery (unless you prefer to remain anonymous)
• We will not take legal action against you if you:
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
  • Only interact with accounts you own or with explicit permission of the account holder
  • Give us reasonable time to address the issue before making any information public

Security updates will be released as patch versions following Semantic Versioning.

1. Keep Dependencies Updated:

   • Regularly update your project dependencies using:

     mvn versions:display-dependency-updates

2. Secure Configuration:

   • Never commit sensitive information (API keys, passwords) to version control
   • Use environment variables or secure configuration management

3. Input Validation:

   • Always validate and sanitize user input
   • Use parameterized queries to prevent SQL injection

1. Dependency Security:

   • Regularly check for vulnerable dependencies using:

     mvn org.owasp:dependency-check-maven:check

   • Review and update the OWASP dependency-check configuration in pom.xml

2. Secure Coding Practices:

   • Follow the OWASP Secure Coding Practices
   • Implement proper error handling that doesn't leak sensitive information
   • Use secure random number generation for any security-sensitive operations

3. Authentication & Authorization:

   • Implement proper authentication mechanisms if applicable
   • Follow the principle of least privilege
   • Validate all user inputs and outputs

4. Data Protection:

   • Encrypt sensitive data at rest and in transit
   • Implement proper session management
   • Use secure password hashing (bcrypt, Argon2, PBKDF2) if handling passwords

1. File Operations:

   • The application reads order configurations from JSON files
   • Ensure proper file permissions are set on configuration files
   • Validate all input files against a strict schema

2. Network Security:

   • If network features are added, always use HTTPS/TLS for all communications
   • Implement proper CORS policies if exposing web services

3. Logging:

   • Avoid logging sensitive information
   • Implement proper log rotation and retention policies

We recommend using the following security tools:

1. Dependency Scanning:

   • OWASP Dependency-Check Maven Plugin
   • Snyk

2. Static Analysis:

   • SpotBugs with Find Security Bugs plugin
   • SonarQube with security rules enabled

3. Dynamic Analysis:

   • OWASP ZAP (Zed Attack Proxy)
   • Burp Suite Community Edition

We are committed to:

• Promptly addressing reported security vulnerabilities
• Releasing security patches in a timely manner
• Maintaining clear communication with security researchers
• Providing credit to security researchers who responsibly disclose vulnerabilities

For security-related questions or concerns, please contact [INSERT SECURITY EMAIL].

Last Updated: 2025-03-20 This policy is adapted from the GitHub Security Policy Template.