diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..a74ed7c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,55 @@ +# Security Policy + +Warden is a self-hosted, Bitwarden-compatible backend for Cloudflare Workers. We take security seriously, but please note this project has not been formally security-audited. + +## Reporting a Vulnerability + +**Preferred:** Use GitHub’s private vulnerability reporting (Security tab → “Report a vulnerability”). + +**Do not** open a public issue with exploit details. + +When reporting, include: + +- A clear description of the issue and impact. +- Steps to reproduce (ideally on your own deployment). +- Affected endpoint(s)/file(s) and any relevant configuration (e.g., `wrangler.toml` ratelimit bindings, Durable Objects offload, R2 attachments). +- Version/commit SHA and your deployment environment (Workers plan, Wrangler version if relevant). + +## Disclosure Guidelines + +- Please give us a reasonable amount of time to investigate and address the issue before public disclosure. +- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption. +- Do not perform denial-of-service testing against the demo instance. + +## Supported Versions + +Security fixes are provided on a best-effort basis for the latest release and the `main` branch. Older versions may not receive security patches. + +## In Scope + +- Backend implementation in `src/` (auth, crypto, handlers, database access). +- Worker entrypoint and edge concerns in `src/entry.js` (routing, attachment streaming, Durable Objects offload). +- Wrangler configuration in `wrangler.toml` (bindings, rate limiting, routes). +- Database schema and migrations (`sql/`, `migrations/`). +- Deployment tooling and scripts (`docs/`, `scripts/`, GitHub Actions workflows). +- UI overrides shipped by this repo (e.g., `public/css/`). + +## Out of Scope / Exclusions + +- Issues in upstream Bitwarden clients (mobile/desktop/browser extensions). +- Issues in the bundled upstream Web Vault build (`bw_web_builds`) that are not caused by this repository’s overrides. +- Vulnerabilities in the Cloudflare platform itself (Workers/D1/R2/DO); please report those to Cloudflare. +- Vulnerabilities in unmaintained/outdated deployments. +- Attacks requiring physical access to a user’s device. +- Social engineering, spam, and denial-of-service attempts. + +## Deployment Hardening (Operators) + +This project is "self-hosted": **your Cloudflare account is part of your security boundary**. Review the deployment docs and consider the following: + +- Set strong secrets: `JWT_SECRET` and `JWT_REFRESH_SECRET` (>32 characters, random, unique per environment). +- Restrict who can register/log in (e.g., `ALLOWED_EMAILS`), and consider disabling open registration. +- Ensure rate limiting is configured (see `wrangler.toml` `[[ratelimits]]` bindings); missing bindings degrade gracefully and may reduce protection. +- Treat Cloudflare API tokens as highly sensitive; grant least privilege and rotate when needed. +- Protect backups and exports (D1 backups, logs) as they may contain sensitive metadata. +