From 2b98d3032ea6fd3dfc1b96434829bc230f2af5c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20NEDJAR?= Date: Sat, 28 Mar 2026 16:47:27 +0100 Subject: [PATCH 1/2] docs: Add security policy. --- .github/SECURITY.md | 48 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..1118c907 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,48 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +|---------|-----------| +| latest release | Yes | +| older releases | No | + +Only the latest release on the `main` branch receives security updates. + +## Reporting a Vulnerability + +If you discover a security vulnerability in this project, please report it responsibly. + +**Do not open a public issue.** + +Instead, use one of the following methods: + +1. **GitHub Security Advisories** (preferred): use the [Report a vulnerability](https://github.com/steamicc/micropython-steami-lib/security/advisories/new) button on the Security tab of this repository. +2. **Email**: contact the maintainers at [sebastien.nedjar@univ-amu.fr](mailto:sebastien.nedjar@univ-amu.fr). + +Please include: + +* A description of the vulnerability +* Steps to reproduce or a proof of concept +* The affected version(s) +* Any potential impact + +## Response + +We will acknowledge your report within **7 days** and aim to provide a fix or mitigation within **30 days**, depending on severity. + +## Scope + +This policy covers the MicroPython driver library code in `lib/` and the build/CI tooling. It does **not** cover: + +* The MicroPython firmware itself (report upstream at [micropython/micropython](https://github.com/micropython/micropython)) +* The STeaMi board hardware +* Third-party npm dependencies (report upstream to the respective package maintainers) + +## Automated Security + +This repository uses: + +* **Dependabot** for automated dependency vulnerability alerts +* **CodeQL** for static analysis on CI workflows +* **Secret scanning** for detecting leaked credentials From cdcee532663db3f5f157c290c237114dbf92c385 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20NEDJAR?= Date: Sat, 28 Mar 2026 16:55:18 +0100 Subject: [PATCH 2/2] docs: Fix Copilot review comments on security policy. --- .github/SECURITY.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/SECURITY.md b/.github/SECURITY.md index 1118c907..d62d2a24 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -7,7 +7,7 @@ | latest release | Yes | | older releases | No | -Only the latest release on the `main` branch receives security updates. +Only the most recent tagged release receives security updates. ## Reporting a Vulnerability @@ -37,12 +37,12 @@ This policy covers the MicroPython driver library code in `lib/` and the build/C * The MicroPython firmware itself (report upstream at [micropython/micropython](https://github.com/micropython/micropython)) * The STeaMi board hardware -* Third-party npm dependencies (report upstream to the respective package maintainers) +* Third-party dependencies (npm packages, Python packages — report upstream to the respective package maintainers) ## Automated Security -This repository uses: +This repository has the following GitHub security features enabled: -* **Dependabot** for automated dependency vulnerability alerts -* **CodeQL** for static analysis on CI workflows +* **Dependabot alerts** for dependency vulnerability detection +* **CodeQL analysis** for static security analysis * **Secret scanning** for detecting leaked credentials