degenfeed-web/SECURITY.md
cryptorugmunch 2cb7336ccd feat(trust): SEO, legal docs, open source, federation polish
SEO & structured data:
- layout: metadataBase, template titles, OG image, canonical URL, robots config
- JSON-LD WebApplication/Site structured data on all pages
- Removed twitter:card (no Twitter/X integration)
- robots.ts: allow all, disallow /api/ /auth/ /profile/ /health/
- sitemap.ts: 14 routes with priority levels
- opengraph-image.tsx: generated neon DegenFeed social card (1200x630)

New pages:
- /about: mission, Rug Munch Media LLC, open source, infrastructure
- /faq: 15 questions
- /legal: LLC notice, DMCA agent, DPO, governing law
- /acceptable-use: 8 rules linked from Terms
- /community-guidelines: 12 instance rules

Legal improvements:
- Privacy: added COPPA, GDPR rights, CCPA rights, Data Protection Officer
- Terms: DMCA notice, age 16 (EU-friendly), Wyoming law, LLC attribution

Open source:
- LICENSE (MIT), CONTRIBUTING.md, SECURITY.md, CODEOWNERS, CODE_OF_CONDUCT.md
- Footer: git.rugmunch.io + codeberg.org links
2026-07-08 17:42:58 +07:00

1.9 KiB

Security Policy

Reporting a Vulnerability

Do NOT open a public issue for security bugs.

Instead, send a detailed report to security@degenfeed.xyz.

We take all security reports seriously. Good-faith security researchers are protected under our safe harbor policy.

What to include

  • Description of the vulnerability
  • Steps to reproduce
  • Affected components and versions
  • Any proof-of-concept code (if available)
  • Your PGP public key for encrypted follow-up (optional)

Response SLA

Severity Acknowledgment Patch
Critical 24 hours 7 days
High 48 hours 14 days
Medium 5 days 30 days
Low Next release Next release

Public key

A PGP key for security@degenfeed.xyz will be published at /.well-known/security.txt.

Currently, report via email without encryption. We will acknowledge within 48 hours.

Supported Versions

Version Supported
Latest release YES
All prior versions NO

Only the latest deployed version receives security patches.

Scope

  • degenfeed-web monorepo (all packages and apps)
  • Cloudflare Worker (degenfeed-api)
  • social.degenfeed.xyz (GotoSocial instance)
  • degenfeed.xyz (Cloudflare Pages)

Out of scope: third-party protocol APIs (Nostr relays, Farcaster hubs, Bluesky PDS, etc.).

Safe Harbor

We will not pursue legal action against security researchers who:

  • Make a good-faith effort to avoid privacy violations and data destruction
  • Give us reasonable time to fix the issue before disclosing
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it

Disclosure Policy

We follow coordinated disclosure. After a fix is deployed, we will:

  1. Publish an advisory with CVE (if applicable)
  2. Credit the researcher (unless they prefer anonymity)
  3. Update this document with any new guidance