vrr/WFGY
2
0
Fork 0
mirror of https://github.com/onestardao/WFGY.git synced 2026-04-26 10:40:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Update SECURITY.md

Browse source
This commit is contained in:
PSBigBig × MiniPS 2026-03-04 12:10:37 +08:00 committed by GitHub
parent fca2c3774f
commit c02efdcba5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 57 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

75
SECURITY.md
View file

@ -1,25 +1,64 @@
# Security Policy
## Reporting a Vulnerability
If you discover a potential security vulnerability in **WFGY**, please report it responsibly:
1. **Email**: hello@onestardao.com (subject: “[WFGY Security]”)
2. **Telegram**: Message @PSBigBig with subject “[WFGY Security]” (avoid posting sensitive details in public chats).
3. **GitHub Private Issue**: If private issues are enabled, open a private issue titled “[Security] WFGY Vulnerability”.
Please do **not** disclose detailed vulnerability information in public issue or forum posts to prevent exploitation before a fix is released.
This document describes how to report potential security issues in this repository and how maintainers handle disclosure.
Maintainers will respond within 12 business days to acknowledge receipt and discuss next steps.
## Reporting a vulnerability
## Response Process
- Upon receiving a report, maintainers will confirm and follow up with you privately.
- A fix will be prepared and released in a new version; the Release Notes will describe the security fix.
- If applicable, maintainers will assist with assigning a CVE and coordinate disclosure timing.
If you believe you have found a security vulnerability, please report it privately and responsibly.
## Supported Versions
- Detail which versions are supported with security fixes. Example:
- “Security fixes will be backported to the latest minor release branch for versions >= 1.0.”
- If you only support the latest release, state that clearly.
Preferred reporting channel:
1. **Email**: `hello@onestardao.com`
Subject: `[WFGY Security] <short summary>`
Alternative channels (if email is not possible):
2. **Telegram**: `@PSBigBig`
Please start your message with: `[WFGY Security]`
Avoid sending sensitive details in public chats or groups.
3. **GitHub Security Advisory (recommended when enabled)**
Use the repository Security tab to submit a private vulnerability report via GitHub Advisories.
**Please do not disclose vulnerability details in public issues, discussions, PR comments, or social posts** until maintainers confirm that disclosure is safe. This reduces the risk of exploitation before mitigations are available.
### What to include in a report
To help maintainers verify and assess the report quickly, please include:
- A clear description of the issue and why it is a security concern
- Affected component(s) and file path(s), if known
- The commit hash, tag, or release version you tested
- Minimal reproduction steps or a proof-of-concept (PoC), when feasible
- Any logs, stack traces, or screenshots that support the report
- Your suggested severity and rationale (optional)
If a full PoC would increase risk, you can provide a high-level description first and share sensitive details after maintainers respond.
## Response process
Maintainers aim to acknowledge reports in a timely manner, but response time can vary depending on availability and report complexity.
Typical workflow:
1. **Acknowledgement**: maintainers confirm receipt and may request clarification.
2. **Triage**: maintainers assess impact, scope, and reproducibility.
3. **Mitigation**: a fix or mitigation is developed and tested.
4. **Release and disclosure**: relevant changes are released and documented.
When appropriate, maintainers may coordinate disclosure timing with the reporter. If a CVE is appropriate and feasible, maintainers may coordinate CVE assignment through standard channels.
## Supported versions
Security fixes are provided on a best-effort basis.
- The primary supported line is the latest state of the `main` branch and/or the latest tagged release.
- Backports to older tags or branches are not guaranteed.
If you rely on older versions, please consider upgrading or opening a discussion to request a backport, understanding that maintainers may decline based on scope and maintenance cost.
## Contact
- Email: hello@onestardao.com
- Telegram: @PSBigBig
- GitHub Advisory: https://github.com/onestardao/WFGY/security/advisories (enable this if desired)
- Email: `hello@onestardao.com`
- Telegram: `@PSBigBig`
- GitHub Security Advisories: `https://github.com/onestardao/WFGY/security/advisories`