diff --git a/SECURITY.md b/SECURITY.md index e0511e4..cc11bc1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,98 +1,68 @@ # 🔒 Security Policy -## 🛡️ Supported Versions - -We actively maintain and provide security updates for the following versions: - -| Version | Supported | -| ------- | ------------------ | -| 1.0.x | :white_check_mark: | - ## 🚨 Reporting Security Vulnerabilities -If you identify any security vulnerabilities or concerns within this repository, please report them promptly by emailing us at [security@wgtechlabs.com](mailto:security@wgtechlabs.com). - -**Please do NOT report security vulnerabilities through public GitHub issues.** - -> [!NOTE] -> As an open-source project, we don't offer monetary bug bounties. However, we provide meaningful recognition and community acknowledgment for security researchers who help improve our project. - -### What to Include in Your Report +We take security seriously. If you discover a security vulnerability, please report it responsibly: -When reporting a security vulnerability, please include: +### Private Vulnerability Reporting (Recommended) -- **Description**: A clear description of the vulnerability -- **Impact**: Potential impact and severity assessment -- **Steps to Reproduce**: Detailed steps to reproduce the vulnerability -- **Environment**: Node.js version, operating system, and other relevant details -- **Proof of Concept**: If possible, include a minimal reproduction case +This repository has **private vulnerability reporting** enabled. You can securely report vulnerabilities directly through GitHub: -### Response Timeline +1. Navigate to the [**Security**](../../security) tab +2. Click [**Advisories**](../../security/advisories) +3. Click **"Report a vulnerability"** button +4. Fill out the vulnerability details -- **Initial Response**: Within 48 hours of receiving your report -- **Status Update**: Regular updates every 3-5 business days -- **Resolution**: We aim to resolve critical vulnerabilities within 7 days +This allows us to discuss and fix the issue privately before any public disclosure. -### Recognition and Rewards +### Email Reporting -As an open-source organization, we don't currently offer monetary rewards for vulnerability reports. However, we deeply value your contributions and offer the following recognition: +Alternatively, you can email us at **[security@wgtechlabs.com](mailto:security@wgtechlabs.com)** -- **Public Acknowledgment**: Credit in our security advisories and release notes (with your permission) -- **Hall of Fame**: Recognition in our project's security contributors section -- **Professional Reference**: LinkedIn recommendations or professional references for your security research skills +**Please do NOT report security vulnerabilities through public GitHub issues.** -We believe in building a collaborative security community and greatly appreciate researchers who help improve our project's security posture. +### What to Include -## 🔐 Security Considerations +- Clear description of the vulnerability +- Steps to reproduce +- Potential impact +- Your environment details (Node.js version, OS, etc.) -This webhook server handles sensitive operations and external requests. Key security areas include: +### Response Timeline -### HMAC Signature Verification -- All webhook requests must include valid HMAC-SHA256 signatures -- Signatures are verified against your Unthread webhook secret -- Invalid signatures are rejected immediately +- **Initial Response**: Within 48 hours +- **Status Updates**: Every 3-5 business days +- **Resolution**: Critical issues resolved within 7 days -### Environment Security -- Store your `UNTHREAD_WEBHOOK_SECRET` securely -- Use environment variables, never hardcode secrets -- Regularly rotate your webhook secrets +## 🛡️ Supported Versions -### Redis Security -- Secure your Redis instance with authentication -- Use TLS encryption for Redis connections in production -- Limit Redis access to authorized applications only +We provide security updates for the following versions. If you're using an unsupported version, please upgrade to receive security patches. -### Network Security -- Deploy behind a reverse proxy or load balancer -- Use HTTPS/TLS for all webhook endpoints -- Implement rate limiting to prevent abuse +| Version | Supported | +| ------- | ------------------ | +| 1.0.x | ✅ Yes | +| < 1.0 | ❌ No | -### Input Validation -- All webhook payloads are validated before processing -- Malformed requests are rejected with appropriate error responses -- Event deduplication prevents replay attacks +## 🔐 Security Best Practices -## 🏭 Production Security Checklist +When contributing or deploying: -Before deploying to production: +- ✅ Never commit secrets, API keys, or credentials +- ✅ Always use environment variables for sensitive data +- ✅ Keep dependencies updated +- ✅ Use HTTPS/TLS for all endpoints +- ✅ Enable security scanning (Dependabot, CodeQL) -- [ ] Use HTTPS/TLS for all endpoints -- [ ] Secure Redis with authentication and encryption -- [ ] Set strong, unique webhook secrets -- [ ] Implement proper logging and monitoring -- [ ] Use environment variables for all secrets -- [ ] Deploy behind a reverse proxy -- [ ] Enable rate limiting -- [ ] Regular security updates for dependencies +## 🏆 Recognition -## 🆘 Security Support +While we don't offer monetary rewards, we deeply value security researchers and provide: -Your efforts to help us maintain the safety and integrity of this open-source project are greatly appreciated. Thank you for contributing to a more secure community! +- Public acknowledgment in security advisories (with permission) +- Recognition in our security contributors hall of fame +- Professional references for your security work -For general security questions or guidance, you can also reach out through: -- Email: [security@wgtechlabs.com](mailto:security@wgtechlabs.com) -- GitHub Security Advisories (for coordinated disclosure) +Thank you for helping keep our projects secure! 🙏 --- -🔐 with ❤️ by [Waren Gonzaga](https://warengonzaga.com) under [WG Technology Labs](https://wgtechlabs.com) and [Him](https://www.youtube.com/watch?v=HHrxS4diLew&t=44s) 🙏 +🔐 with ❤️ by [Waren Gonzaga](https://warengonzaga.com) under [WG Technology Labs](https://wgtechlabs.com) and [Him](https://www.youtube.com/watch?v=HHrxS4diLew&t=44s) 🙏 \ No newline at end of file