-
Notifications
You must be signed in to change notification settings - Fork 132
fix issue 480; security.md #563
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Security Policy | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| If you believe you have found a security vulnerability in `acbu-backend`, please report it privately and do not open a public issue. | ||
|
|
||
| Use GitHub's private vulnerability reporting for this repository: | ||
|
|
||
| - Go to the repository's **Security** tab | ||
| - Select **Report a vulnerability** | ||
| - Provide the details requested in the form | ||
|
|
||
| If private reporting is unavailable, contact the repository maintainers through GitHub as privately as possible and avoid posting exploit details publicly. | ||
|
|
||
| ## What To Include | ||
|
|
||
| Please include as much of the following as you can: | ||
|
|
||
| - A short description of the issue | ||
| - The affected endpoint, service, or workflow | ||
| - Steps to reproduce | ||
| - Any proof of concept, logs, or screenshots | ||
| - The potential impact | ||
| - Whether the issue is currently exploitable in production or only in development | ||
|
|
||
| ## Response Expectations | ||
|
|
||
| We will acknowledge security reports as soon as practical, investigate privately, and coordinate a fix before any public disclosure when possible. | ||
|
|
||
| Please allow reasonable time for triage and remediation before sharing details publicly. | ||
|
|
||
| ## Safe Harbor | ||
|
|
||
| We consider good-faith security research to be helpful. Please avoid: | ||
|
|
||
| - Accessing data you do not own or are not authorized to access | ||
| - Modifying or deleting data | ||
| - Disrupting service availability | ||
| - Exfiltrating secrets, credentials, or personal data | ||
|
|
||
| If you accidentally encounter sensitive information during testing, stop immediately and report it through the private channel above. | ||
|
Comment on lines
+32
to
+41
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win Expand safe harbor with explicit authorization and scope boundaries. The current safe harbor lists prohibited activities but lacks:
Without these elements, researchers lack legal clarity, which discourages participation and undermines the policy's purpose. 🤖 Prompt for AI Agents |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Add explicit security team contact and reference the CODEOWNERS security team.
The current reporting instructions rely on GitHub's private vulnerability reporting and a vague fallback to "repository maintainers." Issue
#480requests a specific point of contact for external researchers. The CODEOWNERS file shows@Pi-Defi-world/security-teamowns security-sensitive directories (prisma/,src/services/,src/controllers/,src/routes/), yet this team is not referenced in the disclosure policy.Add an explicit mention of the security team and a dedicated contact method (e.g., security team email or GitHub team handle) to ensure researchers know where to route reports when GitHub private reporting is unavailable.
🤖 Prompt for AI Agents