feat: add CODE_OF_CONDUCT and SECURITY.md files for community guidelines and vulnerability reporting
This commit is contained in:
CaIon
86
.github/SECURITY.md
vendored
Normal file
86
.github/SECURITY.md
vendored
Normal file
@@ -0,0 +1,86 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
We provide security updates for the following versions:
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| Latest | :white_check_mark: |
|
||||
| Older | :x: |
|
||||
|
||||
We strongly recommend that users always use the latest version for the best security and features.
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
We take security vulnerability reports very seriously. If you discover a security issue, please follow the steps below for responsible disclosure.
|
||||
|
||||
### How to Report
|
||||
|
||||
**Do NOT** report security vulnerabilities in public GitHub Issues.
|
||||
|
||||
To report a security issue, please use the GitHub Security Advisories tab to "Open a draft security advisory". This is the preferred method as it provides a built-in private communication channel.
|
||||
|
||||
Alternatively, you can report via email:
|
||||
|
||||
- **Email:** support@quantumnous.com
|
||||
- **Subject:** `[SECURITY] Security Vulnerability Report`
|
||||
|
||||
### What to Include
|
||||
|
||||
To help us understand and resolve the issue more quickly, please include the following information in your report:
|
||||
|
||||
1. **Vulnerability Type** - Brief description of the vulnerability (e.g., SQL injection, XSS, authentication bypass, etc.)
|
||||
2. **Affected Component** - Affected file paths, endpoints, or functional modules
|
||||
3. **Reproduction Steps** - Detailed steps to reproduce
|
||||
4. **Impact Assessment** - Potential security impact and severity assessment
|
||||
5. **Proof of Concept** - If possible, provide proof of concept code or screenshots (do not test in production environments)
|
||||
6. **Suggested Fix** - If you have a fix suggestion, please provide it
|
||||
7. **Your Contact Information** - So we can communicate with you
|
||||
|
||||
## Response Process
|
||||
|
||||
1. **Acknowledgment:** We will acknowledge receipt of your report within **48 hours**.
|
||||
2. **Initial Assessment:** We will complete an initial assessment and communicate with you within **7 days**.
|
||||
3. **Fix Development:** Based on the severity of the vulnerability, we will prioritize developing a fix.
|
||||
4. **Security Advisory:** After the fix is released, we will publish a security advisory (if applicable).
|
||||
5. **Credit:** If you wish, we will credit your contribution in the security advisory.
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
When deploying and using New API, we recommend following these security best practices:
|
||||
|
||||
### Deployment Security
|
||||
|
||||
- **Use HTTPS:** Always serve over HTTPS to ensure transport layer security
|
||||
- **Firewall Configuration:** Only open necessary ports and restrict access to management interfaces
|
||||
- **Regular Updates:** Update to the latest version promptly to receive security patches
|
||||
- **Environment Isolation:** Use separate database and Redis instances in production
|
||||
|
||||
### API Key Security
|
||||
|
||||
- **Key Protection:** Do not expose API keys in client-side code or public repositories
|
||||
- **Least Privilege:** Create different API keys for different purposes, following the principle of least privilege
|
||||
- **Regular Rotation:** Rotate API keys regularly
|
||||
- **Monitor Usage:** Monitor API key usage and detect anomalies promptly
|
||||
|
||||
### Database Security
|
||||
|
||||
- **Strong Passwords:** Use strong passwords to protect database access
|
||||
- **Network Isolation:** Database should not be directly exposed to the public internet
|
||||
- **Regular Backups:** Regularly backup the database and verify backup integrity
|
||||
- **Access Control:** Limit database user permissions, following the principle of least privilege
|
||||
|
||||
## Security-Related Configuration
|
||||
|
||||
Please ensure the following security-related environment variables and settings are properly configured:
|
||||
|
||||
- `SESSION_SECRET` - Use a strong random string
|
||||
- `SQL_DSN` - Ensure database connection uses secure configuration
|
||||
- `REDIS_CONN_STRING` - If using Redis, ensure secure connection
|
||||
|
||||
For detailed configuration instructions, please refer to the project documentation.
|
||||
|
||||
## Disclaimer
|
||||
|
||||
This project is provided "as is" without any express or implied warranty. Users should assess the security risks of using this software in their environment.
|
||||
Reference in New Issue
Block a user