denshooter/portfolio
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
248580b53330affa763743f7eaf4d23cf1e8633e
portfolio/SECURITY.md
denshooter bbbea4e8ba Create SECURITY.md
2025-09-06 01:25:03 +02:00

3.2 KiB
Raw Blame History

Security Policy

Supported Versions

This portfolio project follows semantic versioning and maintains security updates for the following versions:

Version Supported Notes
1.x.x Current stable version
0.x.x Development versions, no security support

Security Features

This portfolio includes the following security measures:

  • Dependency Scanning: Automated vulnerability scanning with Trivy
  • Code Quality: ESLint and TypeScript for secure code practices
  • Authentication: Basic Auth protection for admin routes
  • Environment Security: Sensitive data stored in environment variables
  • HTTPS Only: All production traffic encrypted
  • Input Validation: All user inputs are validated and sanitized

Reporting a Vulnerability

We take security seriously. If you discover a security vulnerability, please follow these steps:

How to Report

  1. DO NOT create a public GitHub issue
  2. DO send an email to: security@dki.one
  3. Include the following information:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if any)

Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Resolution: Within 30 days (depending on severity)

What to Expect

If the vulnerability is accepted:

  • We will acknowledge receipt within 48 hours
  • We will provide regular updates on our progress
  • We will coordinate with you on disclosure timing
  • We will credit you in our security advisories (if desired)

If the vulnerability is declined:

  • We will explain why it doesn't qualify as a security issue
  • We may suggest alternative reporting channels

Scope

In Scope:

  • Authentication bypasses
  • Data exposure vulnerabilities
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Remote code execution
  • Privilege escalation

Out of Scope:

  • Denial of service attacks
  • Social engineering
  • Physical attacks
  • Issues in third-party dependencies (report to their maintainers)
  • Issues in development/staging environments

Security Best Practices

For Users

  • Keep your browser updated
  • Use strong, unique passwords
  • Enable two-factor authentication where available
  • Report suspicious activity immediately

For Developers

  • Follow secure coding practices
  • Keep dependencies updated
  • Use environment variables for sensitive data
  • Implement proper input validation
  • Regular security audits

Security Updates

Security updates are released as soon as possible after a vulnerability is confirmed and fixed. We follow these practices:

  • Critical: Released within 24 hours
  • High: Released within 72 hours
  • Medium: Released within 1 week
  • Low: Released with next regular update

Contact

For security-related questions or concerns:

  • Email: security@dki.one
  • Response Time: Within 48 hours

Acknowledgments

We appreciate the security research community and will acknowledge responsible disclosure of vulnerabilities.

Last Updated: September 2024
Next Review: March 2025