jesus/secretumvault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
secretumvault/SECURITY.md
Jesús Pérez 196c70d840
chore: add CI/CD files and .typedialog for ci settings
2025-12-29 04:19:26 +00:00

99 lines
2.6 KiB
Markdown
Raw Blame History

# Security Policy
## Supported Versions
This project provides security updates for the following versions:
| Version | Supported |
|---------|-----------|
| 1.x | ✅ Yes |
| 0.x | ❌ No |
Only the latest major version receives security patches. Users are encouraged to upgrade to the latest version.
## Reporting a Vulnerability
**Do not open public GitHub issues for security vulnerabilities.**
Instead, please report security issues to the maintainers privately:
### Reporting Process
1. Email security details to the maintainers (see project README for contact)
2. Include:
- Description of the vulnerability
- Steps to reproduce (if possible)
- Potential impact
- Suggested fix (if you have one)
3. Expect acknowledgment within 48 hours
4. We will work on a fix and coordinate disclosure timing
### Responsible Disclosure
- Allow reasonable time for a fix before public disclosure
- Work with us to understand and validate the issue
- Maintain confidentiality until the fix is released
## Security Best Practices
### For Users
- Keep dependencies up to date
- Use the latest version of this project
- Review security advisories regularly
- Report vulnerabilities responsibly
### For Contributors
- Run `cargo audit` before submitting PRs
- Use `cargo deny` to check license compliance
- Follow secure coding practices
- Don't hardcode secrets or credentials
- Validate all external inputs
## Dependency Security
We use automated tools to monitor dependencies:
- **cargo-audit**: Scans for known security vulnerabilities
- **cargo-deny**: Checks licenses and bans unsafe dependencies
These run in CI on every push and PR.
## Code Review
All code changes go through review before merging:
- At least one maintainer review required
- Security implications considered
- Tests required for all changes
- CI checks must pass
## Known Vulnerabilities
We maintain transparency about known issues:
- Documented in GitHub security advisories
- Announced in release notes
- Tracked in issues with `security` label
## Security Contact
For security inquiries, please contact:
- Email: [project maintainers]
- Issue: Open a private security advisory on GitHub
## Changelog
Security fixes are highlighted in CHANGELOG.md with [SECURITY] prefix.
## Resources
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [CWE: Common Weakness Enumeration](https://cwe.mitre.org/)
- [Rust Security](https://www.rust-lang.org/governance/security-disclosures)
- [npm Security](https://docs.npmjs.com/about-npm/security)
## Questions?
If you have security questions (not vulnerabilities), open a discussion or issue with the `security` label.
Reference in New Issue View Git Blame Copy Permalink