mirror of
https://github.com/NicholaiVogel/dashore-incubator.git
synced 2026-03-30 22:38:56 +00:00
Nicholai
2e051e4bef
- add WorkOS AuthKit authentication with middleware protection - add dashboard with sidebar layout (shadcn/ui components) - add contributor documentation (CONTRIBUTING, CODE_OF_CONDUCT, SECURITY, START-HERE, Documentation/) - add CI workflow for lint and build on PRs - switch from pnpm to bun - add CLAUDE.md and AGENTS.md for AI assistant context
94 lines
2.5 KiB
Markdown
94 lines
2.5 KiB
Markdown
Security Policy
|
|
===
|
|
|
|
supported versions
|
|
---
|
|
|
|
| Version | Supported |
|
|
| ------- | --------- |
|
|
| latest | yes |
|
|
|
|
we only support the latest version deployed at https://fortura.cc.
|
|
|
|
reporting a vulnerability
|
|
===
|
|
|
|
**please do not report security vulnerabilities through public github issues.**
|
|
|
|
instead, email **security@fortura.cc** with:
|
|
|
|
- description of the vulnerability
|
|
- steps to reproduce
|
|
- potential impact
|
|
- suggested fix (if any)
|
|
|
|
what to include
|
|
---
|
|
|
|
1. **type of issue** (e.g., XSS, CSRF, injection, auth bypass)
|
|
2. **location** of the affected code (file path, URL, or component)
|
|
3. **reproduction steps** - step-by-step instructions
|
|
4. **proof-of-concept** - code or screenshots if possible
|
|
5. **impact** - what an attacker could achieve
|
|
|
|
what to expect
|
|
---
|
|
|
|
- **acknowledgment:** within 48 hours
|
|
- **initial assessment:** within 7 days
|
|
- **fix timeline:** within 30 days for critical issues
|
|
|
|
we'll keep you informed throughout the process and coordinate disclosure timing with you.
|
|
|
|
in-scope vulnerabilities
|
|
===
|
|
|
|
we're interested in:
|
|
|
|
- authentication or authorization bypasses
|
|
- injection vulnerabilities (SQL, command, etc.)
|
|
- cross-site scripting (XSS)
|
|
- cross-site request forgery (CSRF)
|
|
- sensitive data exposure
|
|
- server-side request forgery (SSRF)
|
|
- insecure direct object references
|
|
- security misconfigurations
|
|
|
|
out-of-scope
|
|
===
|
|
|
|
the following are generally not in scope:
|
|
|
|
- denial of service attacks
|
|
- spam or social engineering
|
|
- issues in third-party dependencies (report to the upstream project)
|
|
- theoretical vulnerabilities without proof-of-concept
|
|
- issues requiring physical access to a user's device
|
|
- self-XSS or issues requiring victim to paste code
|
|
|
|
safe harbor
|
|
===
|
|
|
|
we consider security research and vulnerability disclosure activities conducted consistent with this policy to be:
|
|
|
|
- authorized concerning any applicable anti-hacking laws
|
|
- authorized concerning any applicable anti-circumvention laws
|
|
- exempt from restrictions in our terms of service that would interfere with conducting security research
|
|
|
|
we will not initiate legal action against researchers who:
|
|
|
|
- act in good faith
|
|
- avoid privacy violations, data destruction, and service interruption
|
|
- report vulnerabilities promptly
|
|
- give us reasonable time to address issues before disclosure
|
|
|
|
recognition
|
|
===
|
|
|
|
we appreciate responsible disclosure. if you'd like, we'll acknowledge your contribution:
|
|
|
|
- credit in the security advisory
|
|
- listing in our security acknowledgments (if we create one)
|
|
|
|
*last updated: january 2026*
|