TypeDialog/SECURITY.md

Security Policy

Supported Versions

Version	Supported
0.1.x	✅

Reporting a Vulnerability

Please DO NOT report security vulnerabilities via public GitHub issues.

Private Reporting

Send vulnerability reports to: jpl@jesusperez.com

Include in your report:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

Response Timeline

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix timeline: Depends on severity (coordinated with reporter)
• Public disclosure: After fix is released (coordinated disclosure)

Security Advisories

We use GitHub Security Advisories for:

• Private coordination on fixes
• CVE assignment
• Public disclosure after fixes

Security Best Practices

For Users

1. Verify downloads: Check SHA256 checksums

   sha256sum -c SHA256SUMS
   

2. Use latest version: Security fixes are not backported

3. Audit dependencies: Run just dev::audit regularly

For Contributors

1. Input validation: Validate all user input
2. No secrets in code: Use environment variables
3. Dependency audits: Check cargo audit before PRs
4. SBOM compliance: Ensure SBOM.*.json are updated

Known Security Considerations

Encryption Features

• TypeDialog uses industry-standard encryption (secretumvault)
• Configuration files may contain sensitive data - protect with file permissions

Web Backend

• Production configs enable CSRF protection and rate limiting
• See config/web/production.toml for security settings

AI Backend

• API keys stored in environment variables only
• No API keys in logs or error messages

Dependency Security

We use:

• cargo-audit for known vulnerabilities
• cargo-deny for license/security policies
• Automated dependency updates via Renovate

Security Scanning

CI pipeline includes:

• Dependency audit (cargo audit)
• License compliance (cargo-deny)
• SBOM verification (SPDX + CycloneDX)

Contact

For security concerns: contact via repositories.

For general support: GitHub Issues