SEO & structured data: - layout: metadataBase, template titles, OG image, canonical URL, robots config - JSON-LD WebApplication/Site structured data on all pages - Removed twitter:card (no Twitter/X integration) - robots.ts: allow all, disallow /api/ /auth/ /profile/ /health/ - sitemap.ts: 14 routes with priority levels - opengraph-image.tsx: generated neon DegenFeed social card (1200x630) New pages: - /about: mission, Rug Munch Media LLC, open source, infrastructure - /faq: 15 questions - /legal: LLC notice, DMCA agent, DPO, governing law - /acceptable-use: 8 rules linked from Terms - /community-guidelines: 12 instance rules Legal improvements: - Privacy: added COPPA, GDPR rights, CCPA rights, Data Protection Officer - Terms: DMCA notice, age 16 (EU-friendly), Wyoming law, LLC attribution Open source: - LICENSE (MIT), CONTRIBUTING.md, SECURITY.md, CODEOWNERS, CODE_OF_CONDUCT.md - Footer: git.rugmunch.io + codeberg.org links
1.9 KiB
1.9 KiB
Security Policy
Reporting a Vulnerability
Do NOT open a public issue for security bugs.
Instead, send a detailed report to security@degenfeed.xyz.
We take all security reports seriously. Good-faith security researchers are protected under our safe harbor policy.
What to include
- Description of the vulnerability
- Steps to reproduce
- Affected components and versions
- Any proof-of-concept code (if available)
- Your PGP public key for encrypted follow-up (optional)
Response SLA
| Severity | Acknowledgment | Patch |
|---|---|---|
| Critical | 24 hours | 7 days |
| High | 48 hours | 14 days |
| Medium | 5 days | 30 days |
| Low | Next release | Next release |
Public key
A PGP key for security@degenfeed.xyz will be published at /.well-known/security.txt.
Currently, report via email without encryption. We will acknowledge within 48 hours.
Supported Versions
| Version | Supported |
|---|---|
| Latest release | YES |
| All prior versions | NO |
Only the latest deployed version receives security patches.
Scope
degenfeed-webmonorepo (all packages and apps)- Cloudflare Worker (
degenfeed-api) social.degenfeed.xyz(GotoSocial instance)degenfeed.xyz(Cloudflare Pages)
Out of scope: third-party protocol APIs (Nostr relays, Farcaster hubs, Bluesky PDS, etc.).
Safe Harbor
We will not pursue legal action against security researchers who:
- Make a good-faith effort to avoid privacy violations and data destruction
- Give us reasonable time to fix the issue before disclosing
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
Disclosure Policy
We follow coordinated disclosure. After a fix is deployed, we will:
- Publish an advisory with CVE (if applicable)
- Credit the researcher (unless they prefer anonymity)
- Update this document with any new guidance