Skip to content

Create SECURITY.md #516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
codeaashu merged 1 commit into from
Nov 3, 2024
Merged

Create SECURITY.md #516

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 89 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
# Security Policy for DevDisplay

## Reporting Security Vulnerabilities

We take the security of DevDisplay seriously. If you discover any security vulnerabilities, please report them to us responsibly by following these steps:

1. **DO NOT** create a public GitHub issue for security vulnerabilities
2. Send an email to [[email protected]] with details about the vulnerability
3. Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (if available)

## Response Timeline

- We will acknowledge receipt of your vulnerability report within 48 hours
- We aim to provide a detailed response within 5 business days
- We will keep you informed about the progress of fixing the vulnerability

## Security Best Practices

### For Contributors

1. **Code Review**
- All code changes must go through peer review
- Security-sensitive code requires additional review
- Follow secure coding guidelines

2. **Dependencies**
- Keep all dependencies up to date
- Regularly check for known vulnerabilities in dependencies
- Use only trusted and well-maintained packages

3. **Authentication & Authorization**
- Use strong password policies
- Implement proper session management
- Follow the principle of least privilege

4. **Data Protection**
- Encrypt sensitive data in transit and at rest
- Never commit sensitive data (tokens, passwords, keys) to the repository
- Use environment variables for sensitive configuration

### For Users

1. **Account Security**
- Use strong, unique passwords
- Enable two-factor authentication when available
- Keep your access tokens secure

2. **Reporting Issues**
- Report any suspicious activity immediately
- Do not share sensitive information publicly
- Follow responsible disclosure practices

## Security Updates

- Security patches will be released as soon as possible
- Critical updates will be clearly marked
- Users will be notified of security-related updates through our communication channels

## Scope

This security policy applies to:
- The main DevDisplay repository
- Official plugins and extensions
- Official documentation
- Related deployment configurations

## Out of Scope

The following are considered out of scope:
- Third-party plugins not maintained by DevDisplay
- User-modified configurations
- Issues already reported
- Theoretical vulnerabilities without proof of concept

## Contact

For security-related inquiries:
- Email: [[email protected]]
- PGP Key: [Link to PGP key]

Thank you for helping keep DevDisplay and its users safe!

---
Last updated: [02-11-24]
Version: 1.0