docs: add contributor and security guidelines
This commit is contained in:
calesthio
49
SECURITY.md
Normal file
49
SECURITY.md
Normal file
@@ -0,0 +1,49 @@
|
||||
# Security Policy
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you discover a security issue in Crucix, please report it privately instead of opening a public GitHub issue.
|
||||
|
||||
Email: `celesthioailabs@gmail.com`
|
||||
|
||||
Use a subject line like:
|
||||
|
||||
`[Crucix Security] short description`
|
||||
|
||||
Please include:
|
||||
|
||||
- affected component or file
|
||||
- steps to reproduce
|
||||
- impact
|
||||
- proof of concept if available
|
||||
- any suggested remediation
|
||||
|
||||
## Response Expectations
|
||||
|
||||
Best-effort targets:
|
||||
|
||||
- acknowledgement within 72 hours
|
||||
- initial triage within 7 days
|
||||
- coordinated disclosure after a fix is available
|
||||
|
||||
## Scope
|
||||
|
||||
The highest-priority reports are:
|
||||
|
||||
- XSS or HTML/script injection in the dashboard
|
||||
- unsafe rendering of mixed-source external content
|
||||
- authentication or secret-handling issues
|
||||
- server-side injection or path traversal
|
||||
- dependency or supply-chain issues with real exploit impact
|
||||
|
||||
## Out of Scope
|
||||
|
||||
The following are generally lower priority unless they create a concrete exploit path:
|
||||
|
||||
- minor UI bugs
|
||||
- missing best-practice headers without impact
|
||||
- rate limiting or reliability issues without a security consequence
|
||||
|
||||
## Public Disclosure
|
||||
|
||||
Please do not disclose the issue publicly until a fix is shipped or we agree on a disclosure timeline.
|
||||
Reference in New Issue
Block a user