From 03eb7ad0a1b08f8255d3a5b607b58659c08245ef Mon Sep 17 00:00:00 2001 From: "Aaron K. Clark" Date: Mon, 18 May 2026 00:59:47 -0500 Subject: [PATCH] docs(security): add SECURITY.md disclosure policy Open-source projects with an embedded Snyk badge advertise an intent to handle security carefully; a SECURITY.md formalizes the disclosure path so reporters don't have to guess. Contents: - Supported versions: master-only single-track project. - Reporting channels: GitHub Security Advisories (preferred); Codeberg DM; maintainer email as last resort. NEVER open a public issue. - SLAs: acknowledge within 3 business days, triage within 7, fix high/critical within 30. - Required content for reports: description, repro, affected commit, preferred attribution. - In-scope and out-of-scope lists so casual scans don't generate noise reports. - Disclosure timing: coordinate with the reporter, credit on the changelog entry. GitHub auto-surfaces this file under the repo's Security tab; Codeberg recognizes the same convention. Co-Authored-By: Claude Opus 4.7 (1M context) --- SECURITY.md | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..5e68bf4 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,77 @@ +# Security policy + +Thank you for taking the time to look at the security of TimeTrackerAPI. +The project mirrors on both [GitHub](https://github.com/CryptoJones/TimeTrackerAPI) +and [Codeberg](https://codeberg.org/CryptoJones/TimeTrackerAPI); either +forge is a valid place to reach us. + +## Supported versions + +This is a single-track project. Security fixes land on `master` only; +there are no maintained release branches. Operators deploying from a +tagged release should bump to the latest tag (or `master`) when a +vulnerability lands, then re-deploy. + +## Reporting a vulnerability + +**Please do NOT open a public issue for a security vulnerability.** + +Instead, use one of these channels: + +- **GitHub:** open a private vulnerability report via + [GitHub Security Advisories](https://github.com/CryptoJones/TimeTrackerAPI/security/advisories/new). + This is the preferred path for anything that warrants a CVE. +- **Codeberg:** post a private message to `@CryptoJones` (the repo + owner) and include the word `SECURITY` in the subject line. +- **Email:** as a last resort, send the report to the email address + listed on the maintainer's GitHub profile, with `[security]` in the + subject line. + +We aim to: + +- **Acknowledge** receipt within **3 business days**. +- **Triage** (confirm + assign a severity) within **7 business days**. +- **Ship a fix or mitigation** within **30 days** for high/critical + issues; lower severities are best-effort. + +Please include in your report: + +- A clear description of the vulnerability and its impact. +- Steps to reproduce (or a proof-of-concept payload). +- Affected commit / tag, if you can identify one. +- Your preferred attribution name + link for the changelog credit + (or "anonymous" if you'd rather we not name you). + +## What's in scope + +- The HTTP API in `app/` and `server.js`. +- The Sequelize models and migrations in `app/models/` and + `app/migrations/`. +- The default Docker / docker-compose configuration in the repo root. +- The dependency tree in `package.json` (we run `npm audit` on + production deps in CI; a high/critical advisory against a deployed + dependency is in scope even if our code doesn't trigger the bug). + +## What's out of scope + +- Vulnerabilities that require the operator to deliberately mis-configure + the deployment (e.g., `RATE_LIMIT_MAX=0` on a public endpoint, or + running the server as root inside the container). +- Findings that depend on the operator running a fork with material + modifications. +- DoS via cost-amplification on a non-rate-limited route the operator + has explicitly mounted (e.g., a custom `/admin/*` endpoint outside + this repo's surface). +- Issues in third-party dependencies that have already been disclosed + upstream and don't have a fix available — please report those + upstream and link us to the tracking issue. + +## Public disclosure timeline + +Once a fix has landed on `master` and an advisory has been published, +we'll credit the reporter (unless they asked otherwise) and reference +the GitHub Security Advisory ID in the changelog entry. We coordinate +disclosure timing with the reporter when the issue is severe enough +to warrant a heads-up to known deployers. + +Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/