diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..374175b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,41 @@ +# Security Policy + +## Reporting a Vulnerability + +If you believe you have found a security vulnerability in `acbu-backend`, please report it privately and do not open a public issue. + +Use GitHub's private vulnerability reporting for this repository: + +- Go to the repository's **Security** tab +- Select **Report a vulnerability** +- Provide the details requested in the form + +If private reporting is unavailable, contact the repository maintainers through GitHub as privately as possible and avoid posting exploit details publicly. + +## What To Include + +Please include as much of the following as you can: + +- A short description of the issue +- The affected endpoint, service, or workflow +- Steps to reproduce +- Any proof of concept, logs, or screenshots +- The potential impact +- Whether the issue is currently exploitable in production or only in development + +## Response Expectations + +We will acknowledge security reports as soon as practical, investigate privately, and coordinate a fix before any public disclosure when possible. + +Please allow reasonable time for triage and remediation before sharing details publicly. + +## Safe Harbor + +We consider good-faith security research to be helpful. Please avoid: + +- Accessing data you do not own or are not authorized to access +- Modifying or deleting data +- Disrupting service availability +- Exfiltrating secrets, credentials, or personal data + +If you accidentally encounter sensitive information during testing, stop immediately and report it through the private channel above.