Skip to content

docs: enhance security policy with scope, severity ratings and response timelines #821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
tejas0077 wants to merge 2 commits into from
Closed

docs: enhance security policy with scope, severity ratings and response timelines #821

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
370209e
docs: enhance security policy with scope, severity ratings and respon…
Mar 12, 2026
46299ad
docs: remove legacy policy block and clean up security disclosure ins…
Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 95 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,100 @@








# Security Policy

## Supported Versions

Only the latest version receives security updates.

| Version | Supported |
| ------- | ------------------ |
| Latest | ✅ |
| Older | ❌ |

## Reporting a Vulnerability

If you believe you have found a security vulnerability in Probo,
please report it responsibly by emailing
[security@getprobo.com](mailto:security@getprobo.com).

**Please do NOT create public GitHub issues for security vulnerabilities.**

### What to Include in Your Report
- A clear description of the vulnerability
- Steps to reproduce the issue
- Affected version(s)
- Potential impact of the vulnerability
- Any suggested fix (optional but appreciated)

## Scope

### In Scope
- `getprobo.com` and all subdomains
- Probo open source codebase (this repository)
- Authentication & authorization issues
- Data exposure vulnerabilities
- API security issues
- Injection vulnerabilities (SQLi, XSS, CSRF, etc.)

### Out of Scope
- Denial of Service (DoS/DDoS) attacks
- Social engineering attacks
- Physical security attacks
- Vulnerabilities in third-party services
- Issues already known or previously reported
- Automated scanner reports without proof of exploitability

## Response Process

| Timeline | Action |
|----------|--------|
| 48 hours | Acknowledgement of your report |
| 5 days | Initial assessment and severity rating |
| 30 days | Target resolution for critical/high issues |
| 90 days | Target resolution for medium/low issues |

We follow responsible disclosure — once a fix is released,
we'll notify you and you're free to publish your findings.

## Severity Rating

We use the following severity ratings aligned with
**ISO/IEC 27001** and **CVSS v3.1**:

| Severity | Description |
|----------|-------------|
| 🔴 Critical | Direct data breach, authentication bypass, RCE |
| 🟠 High | Privilege escalation, significant data exposure |
| 🟡 Medium | Limited data exposure, CSRF, open redirects |
| 🟢 Low | Minor issues, information disclosure |
| ℹ️ Info | Best practice improvements |

## Our Commitment

- We will not take legal action against researchers
who follow responsible disclosure
- We will keep your report confidential
- We will credit you for your finding (if you wish)
- We will work with you to understand and resolve the issue

## Hall of Fame

We appreciate security researchers who help keep Probo secure.
Responsible disclosures will be acknowledged here. 🙏

*Be the first to be listed here!*

---

*Last updated: March 2026*
*Aligned with ISO/IEC 27001:2022 Information Security Standards*# Security Policy

## Reporting a Vulnerability

If you believe you have found a security vulnerability in this
Expand Down