jesus/TypeDialog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
TypeDialog/SECURITY.md
Jesús Pérez 9ca1bfb8cf
chore: new projet folders structure
2025-12-24 03:11:32 +00:00

90 lines
2.2 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 0.1.x | :white_check_mark: |
## Reporting a Vulnerability
**Please DO NOT report security vulnerabilities via public GitHub issues.**
### Private Reporting
Send vulnerability reports to: **jpl@jesusperez.com**
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
### Response Timeline
- **Acknowledgment**: Within 48 hours
- **Initial assessment**: Within 1 week
- **Fix timeline**: Depends on severity (coordinated with reporter)
- **Public disclosure**: After fix is released (coordinated disclosure)
### Security Advisories
We use [GitHub Security Advisories](https://github.com/jesusperezlorenzo/typedialog/security/advisories) for:
- Private coordination on fixes
- CVE assignment
- Public disclosure after fixes
## Security Best Practices
### For Users
1. **Verify downloads**: Check SHA256 checksums
```bash
sha256sum -c SHA256SUMS
```
2. **Use latest version**: Security fixes are not backported
3. **Audit dependencies**: Run `just dev::audit` regularly
### For Contributors
1. **Input validation**: Validate all user input
2. **No secrets in code**: Use environment variables
3. **Dependency audits**: Check `cargo audit` before PRs
4. **SBOM compliance**: Ensure SBOM.*.json are updated
## Known Security Considerations
### Encryption Features
- TypeDialog uses industry-standard encryption (secretumvault)
- Configuration files may contain sensitive data - protect with file permissions
### Web Backend
- Production configs enable CSRF protection and rate limiting
- See `config/web/production.toml` for security settings
### AI Backend
- API keys stored in environment variables only
- No API keys in logs or error messages
## Dependency Security
We use:
- `cargo-audit` for known vulnerabilities
- `cargo-deny` for license/security policies
- Automated dependency updates via Renovate
## Security Scanning
CI pipeline includes:
- Dependency audit (`cargo audit`)
- License compliance (`cargo-deny`)
- SBOM verification (SPDX + CycloneDX)
## Contact
For security concerns: contact via repositories.
For general support: GitHub Issues
Reference in New Issue View Git Blame Copy Permalink