50 lines
1.2 KiB
Markdown
50 lines
1.2 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
If you discover a security issue in Crucix, please report it privately instead of opening a public GitHub issue.
|
|
|
|
Email: `celesthioailabs@gmail.com`
|
|
|
|
Use a subject line like:
|
|
|
|
`[Crucix Security] short description`
|
|
|
|
Please include:
|
|
|
|
- affected component or file
|
|
- steps to reproduce
|
|
- impact
|
|
- proof of concept if available
|
|
- any suggested remediation
|
|
|
|
## Response Expectations
|
|
|
|
Best-effort targets:
|
|
|
|
- acknowledgement within 72 hours
|
|
- initial triage within 7 days
|
|
- coordinated disclosure after a fix is available
|
|
|
|
## Scope
|
|
|
|
The highest-priority reports are:
|
|
|
|
- XSS or HTML/script injection in the dashboard
|
|
- unsafe rendering of mixed-source external content
|
|
- authentication or secret-handling issues
|
|
- server-side injection or path traversal
|
|
- dependency or supply-chain issues with real exploit impact
|
|
|
|
## Out of Scope
|
|
|
|
The following are generally lower priority unless they create a concrete exploit path:
|
|
|
|
- minor UI bugs
|
|
- missing best-practice headers without impact
|
|
- rate limiting or reliability issues without a security consequence
|
|
|
|
## Public Disclosure
|
|
|
|
Please do not disclose the issue publicly until a fix is shipped or we agree on a disclosure timeline.
|