- Add release-gate.yml: 11-job pipeline (lint, tests, Docker build/smoke, Trivy scan, dep audit, audit checks, e2e API+UI, PR summary comment) - Fix CI double-trigger on release branches (push + PR) - Add CODE_OF_CONDUCT.md, SECURITY.md, PR template - Add docs: git-workflow, architecture (ADR), release, operations, community - Add profiles/fastapi-vue for automated audit checks - Add docs/PROCESSES.md: index of 19 available processes
49 lines
1.6 KiB
Markdown
49 lines
1.6 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
|---------|-----------|
|
|
| 0.3.x | Yes |
|
|
| < 0.3 | No |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Do NOT open a public GitHub issue for security vulnerabilities.**
|
|
|
|
Instead, please report them privately:
|
|
|
|
1. **Email**: Send a detailed report to **[INSERT SECURITY EMAIL]**
|
|
2. **GitHub Security Advisory**: Use [GitHub's private vulnerability reporting](https://github.com/scub-france/Docling-Studio/security/advisories/new)
|
|
|
|
### What to include
|
|
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Affected component(s): `document-parser/`, `frontend/`, `docker-compose.yml`, etc.
|
|
- Impact assessment (data exposure, denial of service, privilege escalation, etc.)
|
|
- Suggested fix (if any)
|
|
|
|
### Response timeline
|
|
|
|
| Step | SLA |
|
|
|------|-----|
|
|
| Acknowledgment | < 48 hours |
|
|
| Initial assessment | < 7 days |
|
|
| Fix developed | < 14 days (critical), < 30 days (other) |
|
|
| Public disclosure | After fix is released |
|
|
|
|
### Process
|
|
|
|
1. We acknowledge your report and assign a severity level
|
|
2. We develop a fix in a **private branch** (never pushed publicly before the advisory)
|
|
3. We release the fix and publish a GitHub Security Advisory
|
|
4. We credit the reporter (unless they prefer anonymity)
|
|
|
|
## Security Best Practices (for contributors)
|
|
|
|
- Never commit secrets, API keys, or credentials
|
|
- Never disable CORS or security middleware without review
|
|
- Validate all user input at the API boundary
|
|
- Keep dependencies up to date (`pip audit`, `npm audit`)
|
|
- Follow the [OWASP Top 10](https://owasp.org/www-project-top-ten/) guidelines
|