From 427ce0dc27640db698520f44871d4d96c31b3079 Mon Sep 17 00:00:00 2001 From: Marc Bulling Date: Sun, 25 May 2025 14:37:08 +0200 Subject: [PATCH] Added security policy #258 --- SECURITY.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..7e7ad8b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,42 @@ +# Security Policy + +## Supported Versions + +We currently support the latest stable version of Gokapi. Security updates are provided on a best-effort basis for the most recent release. + +| Version | Supported | +| ------- | ------------------ | +| Latest | ✅ | +| Older | ❌ | + +## Reporting a Vulnerability + +If you discover a security vulnerability in Gokapi, please **do not open a public issue**. + +Instead, use GitHub’s [**"Report a vulnerability"**](https://github.com/Forceu/Gokapi/security/advisories/new) feature on this repository. This ensures your report stays private and will be reviewed promptly by the maintainers. + +To report a vulnerability: + +1. Go to the **Security** tab of the Gokapi repository. +2. Click on **"Report a vulnerability"**. +3. Fill out the form with as much detail as possible. + +We aim to acknowledge valid reports within **3 business days** and address them as quickly as possible. + +## Disclosure Policy + +Once a vulnerability is reported, we will: + +1. Acknowledge receipt within 72 hours. +2. Investigate and validate the issue. +3. Develop a fix or mitigation strategy. +4. Coordinate a release with credit to the reporter (unless anonymity is requested). +5. Publish a security advisory via GitHub once the fix is released. + +## Scope + +This policy applies to the Gokapi codebase and documentation in this repository. Vulnerabilities in third-party dependencies should be reported to the appropriate maintainers. + +--- + +Thank you for helping keep Gokapi secure!