secretumvault/SECURITY.md

# Security Policy

## Supported Versions

This project provides security updates for the following versions:

| Version | Supported |
|---------|-----------|
| 1.x     | ✅ Yes    |
| 0.x     | ❌ No     |

Only the latest major version receives security patches. Users are encouraged to upgrade to the latest version.

## Reporting a Vulnerability

**Do not open public GitHub issues for security vulnerabilities.**

Instead, please report security issues to the maintainers privately:

### Reporting Process

1. Email security details to the maintainers (see project README for contact)
2. Include:
   - Description of the vulnerability
   - Steps to reproduce (if possible)
   - Potential impact
   - Suggested fix (if you have one)

3. Expect acknowledgment within 48 hours
4. We will work on a fix and coordinate disclosure timing

### Responsible Disclosure

- Allow reasonable time for a fix before public disclosure
- Work with us to understand and validate the issue
- Maintain confidentiality until the fix is released

## Security Best Practices

### For Users

- Keep dependencies up to date
- Use the latest version of this project
- Review security advisories regularly
- Report vulnerabilities responsibly

### For Contributors

- Run `cargo audit` before submitting PRs
- Use `cargo deny` to check license compliance
- Follow secure coding practices
- Don't hardcode secrets or credentials
- Validate all external inputs

## Dependency Security

We use automated tools to monitor dependencies:

- **cargo-audit**: Scans for known security vulnerabilities
- **cargo-deny**: Checks licenses and bans unsafe dependencies

These run in CI on every push and PR.

## Code Review

All code changes go through review before merging:
- At least one maintainer review required
- Security implications considered
- Tests required for all changes
- CI checks must pass

## Known Vulnerabilities

We maintain transparency about known issues:
- Documented in GitHub security advisories
- Announced in release notes
- Tracked in issues with `security` label

## Security Contact

For security inquiries, please contact:
- Email: [project maintainers]
- Issue: Open a private security advisory on GitHub

## Changelog

Security fixes are highlighted in CHANGELOG.md with [SECURITY] prefix.

## Resources

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [CWE: Common Weakness Enumeration](https://cwe.mitre.org/)
- [Rust Security](https://www.rust-lang.org/governance/security-disclosures)
- [npm Security](https://docs.npmjs.com/about-npm/security)

## Questions?

If you have security questions (not vulnerabilities), open a discussion or issue with the `security` label.
chore: add CI/CD files and .typedialog for ci settings 2025-12-29 04:19:26 +00:00			`# Security Policy`

			`## Supported Versions`

			`This project provides security updates for the following versions:`

			`\| Version \| Supported \|`
			`\|---------\|-----------\|`
			`\| 1.x \| ✅ Yes \|`
			`\| 0.x \| ❌ No \|`

			`Only the latest major version receives security patches. Users are encouraged to upgrade to the latest version.`

			`## Reporting a Vulnerability`

			`Do not open public GitHub issues for security vulnerabilities.`

			`Instead, please report security issues to the maintainers privately:`

			`### Reporting Process`

			`1. Email security details to the maintainers (see project README for contact)`
			`2. Include:`
			`- Description of the vulnerability`
			`- Steps to reproduce (if possible)`
			`- Potential impact`
			`- Suggested fix (if you have one)`

			`3. Expect acknowledgment within 48 hours`
			`4. We will work on a fix and coordinate disclosure timing`

			`### Responsible Disclosure`

			`- Allow reasonable time for a fix before public disclosure`
			`- Work with us to understand and validate the issue`
			`- Maintain confidentiality until the fix is released`

			`## Security Best Practices`

			`### For Users`

			`- Keep dependencies up to date`
			`- Use the latest version of this project`
			`- Review security advisories regularly`
			`- Report vulnerabilities responsibly`

			`### For Contributors`

			- Run `cargo audit` before submitting PRs
			- Use `cargo deny` to check license compliance
			`- Follow secure coding practices`
			`- Don't hardcode secrets or credentials`
			`- Validate all external inputs`

			`## Dependency Security`

			`We use automated tools to monitor dependencies:`

			`- cargo-audit: Scans for known security vulnerabilities`
			`- cargo-deny: Checks licenses and bans unsafe dependencies`

			`These run in CI on every push and PR.`

			`## Code Review`

			`All code changes go through review before merging:`
			`- At least one maintainer review required`
			`- Security implications considered`
			`- Tests required for all changes`
			`- CI checks must pass`

			`## Known Vulnerabilities`

			`We maintain transparency about known issues:`
			`- Documented in GitHub security advisories`
			`- Announced in release notes`
			- Tracked in issues with `security` label

			`## Security Contact`

			`For security inquiries, please contact:`
			`- Email: [project maintainers]`
			`- Issue: Open a private security advisory on GitHub`

			`## Changelog`

			`Security fixes are highlighted in CHANGELOG.md with [SECURITY] prefix.`

			`## Resources`

			`- [OWASP Top 10](https://owasp.org/www-project-top-ten/)`
			`- [CWE: Common Weakness Enumeration](https://cwe.mitre.org/)`
			`- [Rust Security](https://www.rust-lang.org/governance/security-disclosures)`
			`- [npm Security](https://docs.npmjs.com/about-npm/security)`

			`## Questions?`

			If you have security questions (not vulnerabilities), open a discussion or issue with the `security` label.