merge: chore/cleanup-remove-bloat-and-secrets into main
This commit is contained in:
commit
bde2f3a97d
1173 changed files with 437609 additions and 0 deletions
48
SECURITY.md
Normal file
48
SECURITY.md
Normal file
|
|
@ -0,0 +1,48 @@
|
|||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 2.x | ✅ Active support |
|
||||
| 1.x | ❌ End of life |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
**DO NOT OPEN A PUBLIC ISSUE.** This is a commercial security product. Vulnerabilities in our code directly affect our customers' safety.
|
||||
|
||||
**Email:** security@rugmunch.io
|
||||
**PGP Key:** [Available on request]
|
||||
**Response time:** Within 24 hours
|
||||
**Disclosure:** Coordinated disclosure after fix deployment (max 90 days)
|
||||
|
||||
### What to include:
|
||||
- Type of vulnerability (RCE, auth bypass, data exposure, etc.)
|
||||
- Affected endpoint/component
|
||||
- Steps to reproduce
|
||||
- Proof of concept (if available)
|
||||
- Impact assessment
|
||||
|
||||
### What you'll receive:
|
||||
- Confirmation within 24 hours
|
||||
- Regular status updates
|
||||
- Credit in release notes (unless you request anonymity)
|
||||
- Bug bounty at our discretion (contact us for current program details)
|
||||
|
||||
## Security Best Practices for Contributors
|
||||
|
||||
1. **Never commit secrets** — API keys, tokens, passwords, private keys go in environment variables only
|
||||
2. **Use `.env` (gitignored)** for local development credentials
|
||||
3. **Sign your commits** with GPG (`git config commit.gpgsign true`)
|
||||
4. **Review your own diffs** before pushing — check for accidental credential exposure
|
||||
5. **Use branch protection** — all changes to main must go through PR review
|
||||
6. **Run `git-sync.py --dry-run`** before pushing to verify no secrets are staged
|
||||
|
||||
## Our Security Stack
|
||||
|
||||
- Pre-commit hooks scan every staged file for secrets
|
||||
- Pre-push hooks block force pushes and re-scan for secrets
|
||||
- GitHub Actions CI runs secret scanning on every PR
|
||||
- Dependabot monitors dependencies for known CVEs
|
||||
- Production secrets stored in GitHub Secrets vault + environment variables
|
||||
- Backend .env never committed (in .gitignore)
|
||||
Loading…
Add table
Add a link
Reference in a new issue