|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +We release patches for security vulnerabilities in the following versions: |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | ------------------ | |
| 9 | +| 1.x.x | :white_check_mark: | |
| 10 | +| < 1.0 | :x: | |
| 11 | + |
| 12 | +> **Note:** Please update this table to reflect the actual versions you support. |
| 13 | +
|
| 14 | +--- |
| 15 | + |
| 16 | +## Reporting a Vulnerability |
| 17 | + |
| 18 | +We take the security of our software seriously. If you believe you have found a security vulnerability, please report it to us as described below. |
| 19 | + |
| 20 | +### How to Report |
| 21 | + |
| 22 | +**Please do not report security vulnerabilities through public GitHub issues.** |
| 23 | + |
| 24 | +Instead, please email us at **[security@skedgo.com](mailto:security@skedgo.com)**. |
| 25 | + |
| 26 | +You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message. |
| 27 | + |
| 28 | +### What to Include |
| 29 | + |
| 30 | +Please include the following information in your report: |
| 31 | + |
| 32 | +- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) |
| 33 | +- Full paths of source file(s) related to the manifestation of the issue |
| 34 | +- The location of the affected source code (tag/branch/commit or direct URL) |
| 35 | +- Any special configuration required to reproduce the issue |
| 36 | +- Step-by-step instructions to reproduce the issue |
| 37 | +- Proof-of-concept or exploit code (if possible) |
| 38 | +- Impact of the issue, including how an attacker might exploit it |
| 39 | + |
| 40 | +This information will help us triage your report more quickly. |
| 41 | + |
| 42 | +### What to Expect |
| 43 | + |
| 44 | +After you submit a report, we will: |
| 45 | + |
| 46 | +1. **Acknowledge** your email within 48 hours |
| 47 | +2. **Investigate** the issue and confirm the vulnerability |
| 48 | +3. **Keep you informed** of our progress toward a fix |
| 49 | +4. **Release** a security patch as appropriate |
| 50 | +5. **Credit** you in our release notes (if you wish to be named) |
| 51 | + |
| 52 | +--- |
| 53 | + |
| 54 | +## Security Best Practices for Contributors |
| 55 | + |
| 56 | +If you're contributing to this project, please follow these security guidelines: |
| 57 | + |
| 58 | +### Code Review |
| 59 | +- All code changes must go through Pull Requests |
| 60 | +- PRs require approval from at least one maintainer before merging |
| 61 | +- No direct commits to `main` or protected branches |
| 62 | + |
| 63 | +### Dependencies |
| 64 | +- Keep dependencies up to date |
| 65 | +- Review dependency changes for known vulnerabilities |
| 66 | +- Use automated tools like Dependabot to monitor security issues |
| 67 | + |
| 68 | +### Secrets Management |
| 69 | +- **Never** commit credentials, API keys, tokens, or other secrets |
| 70 | +- Use environment variables or secure secret management systems |
| 71 | +- Review commits for accidentally included secrets before pushing |
| 72 | + |
| 73 | +### Secure Coding |
| 74 | +- Follow [OWASP Top 10](https://owasp.org/www-project-top-ten/) best practices |
| 75 | +- Validate and sanitize all user inputs |
| 76 | +- Use parameterized queries to prevent SQL injection |
| 77 | +- Implement proper authentication and authorization |
| 78 | +- Use HTTPS/TLS for all network communications |
| 79 | + |
| 80 | +--- |
| 81 | + |
| 82 | +## Security Features |
| 83 | + |
| 84 | +This project includes the following security measures: |
| 85 | + |
| 86 | +- **Dependabot alerts** enabled for vulnerable dependencies |
| 87 | +- **Secret scanning** enabled to prevent credential leaks |
| 88 | +- **Code review** required for all changes |
| 89 | +- **Branch protection** rules enforced on main branches |
| 90 | + |
| 91 | +--- |
| 92 | + |
| 93 | +## Disclosure Policy |
| 94 | + |
| 95 | +We follow a **coordinated disclosure** approach: |
| 96 | + |
| 97 | +1. Security issues are privately investigated and patched |
| 98 | +2. A security advisory is prepared but not published |
| 99 | +3. We notify relevant parties (e.g., major users, downstream projects) |
| 100 | +4. A patch release is made available |
| 101 | +5. The security advisory is published after users have had time to update |
| 102 | + |
| 103 | +We aim to complete this process within 90 days of the initial report, though complex issues may take longer. |
| 104 | + |
| 105 | +--- |
| 106 | + |
| 107 | +## Security Update Policy |
| 108 | + |
| 109 | +Security updates are released as: |
| 110 | +- **Patch versions** (x.x.X) for currently supported versions |
| 111 | +- **Security advisories** published on our GitHub Security Advisories page |
| 112 | +- **Release notes** clearly marking security-related changes |
| 113 | + |
| 114 | +--- |
| 115 | + |
| 116 | +## Additional Resources |
| 117 | + |
| 118 | +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) |
| 119 | +- [CWE Top 25 Most Dangerous Software Weaknesses](https://cwe.mitre.org/top25/) |
| 120 | +- [GitHub Security Best Practices](https://docs.github.com/en/code-security) |
| 121 | + |
| 122 | +--- |
| 123 | + |
| 124 | +## Contact |
| 125 | + |
| 126 | +For general security questions or concerns, please contact: |
| 127 | +- **Email:** [security@skedgo.com](mailto:security@skedgo.com) |
| 128 | + |
| 129 | +--- |
| 130 | + |
| 131 | +> **Last Updated:** {{ DATE }} |
| 132 | +> **Version:** 1.0 |
| 133 | +> |
| 134 | +> This security policy is maintained by the repository maintainers and reviewed regularly. |
0 commit comments