|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +We take security seriously and appreciate responsible disclosures. |
| 4 | +If you believe you’ve found a vulnerability, **please follow the process below**. |
| 5 | + |
| 6 | +--- |
| 7 | + |
| 8 | +## Supported Versions |
| 9 | + |
| 10 | +We currently provide security fixes for the latest minor release and the `main` branch. |
| 11 | + |
| 12 | +| Version | Status | |
| 13 | +|-----------:|---------------------| |
| 14 | +| `main` | ✅ Supported | |
| 15 | +| `0.7.x` | ✅ Supported | |
| 16 | +| `< 0.7.0` | ❌ Not supported | |
| 17 | + |
| 18 | +> Note: This project is pre-1.0; interfaces may evolve quickly. Please upgrade to the latest release before reporting issues when possible. |
| 19 | +
|
| 20 | +--- |
| 21 | + |
| 22 | +## Reporting a Vulnerability |
| 23 | + |
| 24 | +**Do not open a public issue.** |
| 25 | +Instead, choose one of the following private channels: |
| 26 | + |
| 27 | +1. **GitHub Security Advisory (preferred):** |
| 28 | + Create a private report via **Security → Advisories → Report a vulnerability** in this repo. |
| 29 | +2. **Email:** |
| 30 | + Send details to **baris.sayli@gmail.com** with the subject `SECURITY: <short summary>`. |
| 31 | + |
| 32 | +Please include: |
| 33 | + |
| 34 | +- A clear description of the issue and potential impact. |
| 35 | +- A minimal proof-of-concept (PoC) or steps to reproduce. |
| 36 | +- Affected version(s) (commit hash or tag) and environment details. |
| 37 | +- Any suggested remediation ideas if you have them. |
| 38 | + |
| 39 | +--- |
| 40 | + |
| 41 | +## Our Process & Timelines |
| 42 | + |
| 43 | +We aim to respond quickly and keep you informed throughout. |
| 44 | + |
| 45 | +- **Acknowledgement:** within **72 hours**. |
| 46 | +- **Triage & Reproduction:** within **5 business days**. |
| 47 | +- **Fix Plan:** within **10 business days** for High/Critical; otherwise as scheduled. |
| 48 | +- **Release:** a patched version will be published; we may coordinate an embargoed release for impactful issues. |
| 49 | + |
| 50 | +We’ll keep you updated at major milestones (triage result, fix readiness, release timing). |
| 51 | + |
| 52 | +--- |
| 53 | + |
| 54 | +## Severity Guidance |
| 55 | + |
| 56 | +We use a pragmatic CVSS-like approach: |
| 57 | + |
| 58 | +- **Critical/High:** RCE, auth bypass, or issues enabling widespread compromise. |
| 59 | +- **Medium:** Information disclosure, privilege/DoS limited to a single service. |
| 60 | +- **Low:** Hardening gaps, misconfigurations, limited-edge misuse. |
| 61 | + |
| 62 | +Severity influences prioritization and disclosure timing. |
| 63 | + |
| 64 | +--- |
| 65 | + |
| 66 | +## Coordinated Disclosure |
| 67 | + |
| 68 | +- We prefer **coordinated disclosure**. Please do not share details publicly until a fix is available. |
| 69 | +- With your consent, we’re happy to credit reporters in release notes (name/handle). |
| 70 | + |
| 71 | +--- |
| 72 | + |
| 73 | +## Scope |
| 74 | + |
| 75 | +**In scope** |
| 76 | +- `customer-service` (server / OpenAPI producer) |
| 77 | +- `customer-service-client` (generated client & overlays) |
| 78 | +- Templates, schema customizers, and build instructions contained in this repo |
| 79 | + |
| 80 | +**Out of scope** |
| 81 | +- Vulnerabilities exclusively within third-party dependencies (report upstream first) |
| 82 | +- Demo/test-only code that is not used in production contexts |
| 83 | +- Deployment-specific misconfigurations outside the repo |
| 84 | + |
| 85 | +--- |
| 86 | + |
| 87 | +## Non-qualifying Reports |
| 88 | + |
| 89 | +To focus on impactful issues, we generally exclude: |
| 90 | +- Best-practice suggestions without a practical exploit scenario |
| 91 | +- Rate limiting / generic DoS without a novel exploit |
| 92 | +- Missing security headers in dev/demo endpoints |
| 93 | +- Social engineering or physical attacks |
| 94 | + |
| 95 | +--- |
| 96 | + |
| 97 | +## Questions |
| 98 | + |
| 99 | +If you’re unsure whether something qualifies, email **baris.sayli@gmail.com** and we’ll help triage. |
| 100 | + |
| 101 | +Thank you for helping keep the community safe! 🙏 |
0 commit comments