diff --git a/SECURITY.md b/SECURITY.md index 5d69b836..b773e199 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,25 +1,64 @@ # Security Policy -## Reporting a Vulnerability -If you discover a potential security vulnerability in **WFGY**, please report it responsibly: -1. **Email**: hello@onestardao.com (subject: “[WFGY Security]”) -2. **Telegram**: Message @PSBigBig with subject “[WFGY Security]” (avoid posting sensitive details in public chats). -3. **GitHub Private Issue**: If private issues are enabled, open a private issue titled “[Security] WFGY Vulnerability”. -Please do **not** disclose detailed vulnerability information in public issue or forum posts to prevent exploitation before a fix is released. +This document describes how to report potential security issues in this repository and how maintainers handle disclosure. -Maintainers will respond within 1–2 business days to acknowledge receipt and discuss next steps. +## Reporting a vulnerability -## Response Process -- Upon receiving a report, maintainers will confirm and follow up with you privately. -- A fix will be prepared and released in a new version; the Release Notes will describe the security fix. -- If applicable, maintainers will assist with assigning a CVE and coordinate disclosure timing. +If you believe you have found a security vulnerability, please report it privately and responsibly. -## Supported Versions -- Detail which versions are supported with security fixes. Example: - - “Security fixes will be backported to the latest minor release branch for versions >= 1.0.” -- If you only support the latest release, state that clearly. +Preferred reporting channel: + +1. **Email**: `hello@onestardao.com` + Subject: `[WFGY Security] ` + +Alternative channels (if email is not possible): + +2. **Telegram**: `@PSBigBig` + Please start your message with: `[WFGY Security]` + Avoid sending sensitive details in public chats or groups. + +3. **GitHub Security Advisory (recommended when enabled)** + Use the repository Security tab to submit a private vulnerability report via GitHub Advisories. + +**Please do not disclose vulnerability details in public issues, discussions, PR comments, or social posts** until maintainers confirm that disclosure is safe. This reduces the risk of exploitation before mitigations are available. + +### What to include in a report + +To help maintainers verify and assess the report quickly, please include: + +- A clear description of the issue and why it is a security concern +- Affected component(s) and file path(s), if known +- The commit hash, tag, or release version you tested +- Minimal reproduction steps or a proof-of-concept (PoC), when feasible +- Any logs, stack traces, or screenshots that support the report +- Your suggested severity and rationale (optional) + +If a full PoC would increase risk, you can provide a high-level description first and share sensitive details after maintainers respond. + +## Response process + +Maintainers aim to acknowledge reports in a timely manner, but response time can vary depending on availability and report complexity. + +Typical workflow: + +1. **Acknowledgement**: maintainers confirm receipt and may request clarification. +2. **Triage**: maintainers assess impact, scope, and reproducibility. +3. **Mitigation**: a fix or mitigation is developed and tested. +4. **Release and disclosure**: relevant changes are released and documented. + +When appropriate, maintainers may coordinate disclosure timing with the reporter. If a CVE is appropriate and feasible, maintainers may coordinate CVE assignment through standard channels. + +## Supported versions + +Security fixes are provided on a best-effort basis. + +- The primary supported line is the latest state of the `main` branch and/or the latest tagged release. +- Backports to older tags or branches are not guaranteed. + +If you rely on older versions, please consider upgrading or opening a discussion to request a backport, understanding that maintainers may decline based on scope and maintenance cost. ## Contact -- Email: hello@onestardao.com -- Telegram: @PSBigBig -- GitHub Advisory: https://github.com/onestardao/WFGY/security/advisories (enable this if desired) + +- Email: `hello@onestardao.com` +- Telegram: `@PSBigBig` +- GitHub Security Advisories: `https://github.com/onestardao/WFGY/security/advisories`