48 lines
1.8 KiB
Markdown
48 lines
1.8 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| 2.x | ✅ Active support |
|
|
| 1.x | ❌ End of life |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**DO NOT OPEN A PUBLIC ISSUE.** This is a commercial security product. Vulnerabilities in our code directly affect our customers' safety.
|
|
|
|
**Email:** security@rugmunch.io
|
|
**PGP Key:** [Available on request]
|
|
**Response time:** Within 24 hours
|
|
**Disclosure:** Coordinated disclosure after fix deployment (max 90 days)
|
|
|
|
### What to include:
|
|
- Type of vulnerability (RCE, auth bypass, data exposure, etc.)
|
|
- Affected endpoint/component
|
|
- Steps to reproduce
|
|
- Proof of concept (if available)
|
|
- Impact assessment
|
|
|
|
### What you'll receive:
|
|
- Confirmation within 24 hours
|
|
- Regular status updates
|
|
- Credit in release notes (unless you request anonymity)
|
|
- Bug bounty at our discretion (contact us for current program details)
|
|
|
|
## Security Best Practices for Contributors
|
|
|
|
1. **Never commit secrets** — API keys, tokens, passwords, private keys go in environment variables only
|
|
2. **Use `.env` (gitignored)** for local development credentials
|
|
3. **Sign your commits** with GPG (`git config commit.gpgsign true`)
|
|
4. **Review your own diffs** before pushing — check for accidental credential exposure
|
|
5. **Use branch protection** — all changes to main must go through PR review
|
|
6. **Run `git-sync.py --dry-run`** before pushing to verify no secrets are staged
|
|
|
|
## Our Security Stack
|
|
|
|
- Pre-commit hooks scan every staged file for secrets
|
|
- Pre-push hooks block force pushes and re-scan for secrets
|
|
- GitHub Actions CI runs secret scanning on every PR
|
|
- Dependabot monitors dependencies for known CVEs
|
|
- Production secrets stored in GitHub Secrets vault + environment variables
|
|
- Backend .env never committed (in .gitignore)
|