denshooter/portfolio
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create SECURITY.md

Browse Source
This commit is contained in:
denshooter
2025-09-06 01:25:03 +02:00
committed by GitHub
parent 03826be1af
commit bbbea4e8ba
1 changed files with 110 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
SECURITY.md Normal file
View File

@@ -0,0 +1,110 @@
# Security Policy
## Supported Versions
This portfolio project follows semantic versioning and maintains security updates for the following versions:
| Version | Supported | Notes |
| ------- | ------------------ | ----- |
| 1.x.x | :white_check_mark: | Current stable version |
| 0.x.x | :x: | Development versions, no security support |
## Security Features
This portfolio includes the following security measures:
- **Dependency Scanning**: Automated vulnerability scanning with Trivy
- **Code Quality**: ESLint and TypeScript for secure code practices
- **Authentication**: Basic Auth protection for admin routes
- **Environment Security**: Sensitive data stored in environment variables
- **HTTPS Only**: All production traffic encrypted
- **Input Validation**: All user inputs are validated and sanitized
## Reporting a Vulnerability
We take security seriously. If you discover a security vulnerability, please follow these steps:
### How to Report
1. **DO NOT** create a public GitHub issue
2. **DO** send an email to: `security@dki.one`
3. **Include** the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
### Response Timeline
- **Initial Response**: Within 48 hours
- **Status Update**: Within 7 days
- **Resolution**: Within 30 days (depending on severity)
### What to Expect
**If the vulnerability is accepted:**
- We will acknowledge receipt within 48 hours
- We will provide regular updates on our progress
- We will coordinate with you on disclosure timing
- We will credit you in our security advisories (if desired)
**If the vulnerability is declined:**
- We will explain why it doesn't qualify as a security issue
- We may suggest alternative reporting channels
### Scope
**In Scope:**
- Authentication bypasses
- Data exposure vulnerabilities
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- SQL injection
- Remote code execution
- Privilege escalation
**Out of Scope:**
- Denial of service attacks
- Social engineering
- Physical attacks
- Issues in third-party dependencies (report to their maintainers)
- Issues in development/staging environments
## Security Best Practices
### For Users
- Keep your browser updated
- Use strong, unique passwords
- Enable two-factor authentication where available
- Report suspicious activity immediately
### For Developers
- Follow secure coding practices
- Keep dependencies updated
- Use environment variables for sensitive data
- Implement proper input validation
- Regular security audits
## Security Updates
Security updates are released as soon as possible after a vulnerability is confirmed and fixed. We follow these practices:
- **Critical**: Released within 24 hours
- **High**: Released within 72 hours
- **Medium**: Released within 1 week
- **Low**: Released with next regular update
## Contact
For security-related questions or concerns:
- **Email**: `security@dki.one`
- **Response Time**: Within 48 hours
## Acknowledgments
We appreciate the security research community and will acknowledge responsible disclosure of vulnerabilities.
---
**Last Updated**: September 2024
**Next Review**: March 2025