jesus/secretumvault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
secretumvault/SECURITY.md
Jesús Pérez 196c70d840
chore: add CI/CD files and .typedialog for ci settings
2025-12-29 04:19:26 +00:00

2.6 KiB
Raw Blame History

Security Policy

Supported Versions

This project provides security updates for the following versions:

Version Supported
1.x Yes
0.x No

Only the latest major version receives security patches. Users are encouraged to upgrade to the latest version.

Reporting a Vulnerability

Do not open public GitHub issues for security vulnerabilities.

Instead, please report security issues to the maintainers privately:

Reporting Process

  1. Email security details to the maintainers (see project README for contact)

  2. Include:

    • Description of the vulnerability
    • Steps to reproduce (if possible)
    • Potential impact
    • Suggested fix (if you have one)

  3. Expect acknowledgment within 48 hours

  4. We will work on a fix and coordinate disclosure timing

Responsible Disclosure

  • Allow reasonable time for a fix before public disclosure
  • Work with us to understand and validate the issue
  • Maintain confidentiality until the fix is released

Security Best Practices

For Users

  • Keep dependencies up to date
  • Use the latest version of this project
  • Review security advisories regularly
  • Report vulnerabilities responsibly

For Contributors

  • Run cargo audit before submitting PRs
  • Use cargo deny to check license compliance
  • Follow secure coding practices
  • Don't hardcode secrets or credentials
  • Validate all external inputs

Dependency Security

We use automated tools to monitor dependencies:

  • cargo-audit: Scans for known security vulnerabilities
  • cargo-deny: Checks licenses and bans unsafe dependencies

These run in CI on every push and PR.

Code Review

All code changes go through review before merging:

  • At least one maintainer review required
  • Security implications considered
  • Tests required for all changes
  • CI checks must pass

Known Vulnerabilities

We maintain transparency about known issues:

  • Documented in GitHub security advisories
  • Announced in release notes
  • Tracked in issues with security label

Security Contact

For security inquiries, please contact:

  • Email: [project maintainers]
  • Issue: Open a private security advisory on GitHub

Changelog

Security fixes are highlighted in CHANGELOG.md with [SECURITY] prefix.

Resources

Questions?

If you have security questions (not vulnerabilities), open a discussion or issue with the security label.