rmi-backend/SECURITY.md

48 lines
1.8 KiB
Markdown

# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 2.x | ✅ Active support |
| 1.x | ❌ End of life |
## Reporting a Vulnerability
**DO NOT OPEN A PUBLIC ISSUE.** This is a commercial security product. Vulnerabilities in our code directly affect our customers' safety.
**Email:** security@rugmunch.io
**PGP Key:** [Available on request]
**Response time:** Within 24 hours
**Disclosure:** Coordinated disclosure after fix deployment (max 90 days)
### What to include:
- Type of vulnerability (RCE, auth bypass, data exposure, etc.)
- Affected endpoint/component
- Steps to reproduce
- Proof of concept (if available)
- Impact assessment
### What you'll receive:
- Confirmation within 24 hours
- Regular status updates
- Credit in release notes (unless you request anonymity)
- Bug bounty at our discretion (contact us for current program details)
## Security Best Practices for Contributors
1. **Never commit secrets** — API keys, tokens, passwords, private keys go in environment variables only
2. **Use `.env` (gitignored)** for local development credentials
3. **Sign your commits** with GPG (`git config commit.gpgsign true`)
4. **Review your own diffs** before pushing — check for accidental credential exposure
5. **Use branch protection** — all changes to main must go through PR review
6. **Run `git-sync.py --dry-run`** before pushing to verify no secrets are staged
## Our Security Stack
- Pre-commit hooks scan every staged file for secrets
- Pre-push hooks block force pushes and re-scan for secrets
- GitHub Actions CI runs secret scanning on every PR
- Dependabot monitors dependencies for known CVEs
- Production secrets stored in GitHub Secrets vault + environment variables
- Backend .env never committed (in .gitignore)