Skip to content

Latest commit

 

History

History
36 lines (21 loc) · 3.23 KB

SECURITY.md

File metadata and controls

36 lines (21 loc) · 3.23 KB

Security Policy

Thank you for your interest in the security of our project. We take security very seriously and appreciate the collaboration of the community to keep our software safe. If you discover a security vulnerability, we kindly ask you to report it responsibly so we can take the necessary actions.

How to Report a Vulnerability

  1. Private Disclosure: Please do not publicly report security vulnerabilities on GitHub. Instead, use one of the following private methods:

    • Email: Send an email to security@benjamin-stefan.eu with your report. We encourage you to use PGP encryption. Our public PGP key can be found on keys.openpgp.org or downloaded directly here.
      Fingerprint: 4CB4 A832 F430 F258 9026 C6AA A23E 12B7 3D8C F79C.
      Ensure to verify the fingerprint after importing the key to confirm its authenticity.

    • GitHub Security Advisories: You can also report vulnerabilities through GitHub Security Advisories. This allows us to privately discuss and address the issue within GitHub's secure environment. To report a vulnerability this way, go to the "Security" tab of our repository and click on "Report a vulnerability."

  2. Information to Include: Please provide as much detail as possible:

    • Type of vulnerability (e.g., XSS, SQL Injection, CSRF)
    • Affected components (e.g., specific files or functions)
    • Steps to reproduce the issue
    • Potential impact on the system or users

  3. Languages: We prefer to communicate in English or German.

  4. Data Handling and GDPR Compliance: All information sent to us is handled confidentially. We securely store and manage the data, and it is only accessible by the project maintainer. The data collected will be used solely for addressing and managing the reported security vulnerability and will be securely deleted after resolution unless further retention is legally required.

  5. Response Timeframe: As an individual working with limited resources, I cannot guarantee specific timeframes for addressing vulnerabilities. However, I will do my best to respond to security reports as quickly as possible. You can expect an initial response within a reasonable time.

  6. Responsible Disclosure: Once a vulnerability has been resolved, the details of the vulnerability and the steps taken to address it will be documented publicly. With your consent, we will recognize you in the project's credits as appreciation for your contribution.

  7. Key Rotation: If the PGP key is compromised or needs rotation, this SECURITY.md will be updated, and a new key will be made available on keys.openpgp.org.

Security Contact

For any security-related questions or concerns, please contact security@benjamin-stefan.eu (PGP-encrypted emails are preferred) or use GitHub Security Advisories. We prefer communication in English or German.

Thank you for your support in ensuring the security of this project!