- Add release-gate.yml: 11-job pipeline (lint, tests, Docker build/smoke, Trivy scan, dep audit, audit checks, e2e API+UI, PR summary comment) - Fix CI double-trigger on release branches (push + PR) - Add CODE_OF_CONDUCT.md, SECURITY.md, PR template - Add docs: git-workflow, architecture (ADR), release, operations, community - Add profiles/fastapi-vue for automated audit checks - Add docs/PROCESSES.md: index of 19 available processes
1.6 KiB
1.6 KiB
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| 0.3.x | Yes |
| < 0.3 | No |
Reporting a Vulnerability
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please report them privately:
- Email: Send a detailed report to [INSERT SECURITY EMAIL]
- GitHub Security Advisory: Use GitHub's private vulnerability reporting
What to include
- Description of the vulnerability
- Steps to reproduce
- Affected component(s):
document-parser/,frontend/,docker-compose.yml, etc. - Impact assessment (data exposure, denial of service, privilege escalation, etc.)
- Suggested fix (if any)
Response timeline
| Step | SLA |
|---|---|
| Acknowledgment | < 48 hours |
| Initial assessment | < 7 days |
| Fix developed | < 14 days (critical), < 30 days (other) |
| Public disclosure | After fix is released |
Process
- We acknowledge your report and assign a severity level
- We develop a fix in a private branch (never pushed publicly before the advisory)
- We release the fix and publish a GitHub Security Advisory
- We credit the reporter (unless they prefer anonymity)
Security Best Practices (for contributors)
- Never commit secrets, API keys, or credentials
- Never disable CORS or security middleware without review
- Validate all user input at the API boundary
- Keep dependencies up to date (
pip audit,npm audit) - Follow the OWASP Top 10 guidelines