Nicholai/dashore-incubator
1
0
Fork 0
mirror of https://github.com/NicholaiVogel/dashore-incubator.git synced 2026-03-31 06:40:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
dashore-incubator/SECURITY.md
Nicholai 2e051e4bef feat: complete project setup with auth and contributor docs 
- add WorkOS AuthKit authentication with middleware protection
- add dashboard with sidebar layout (shadcn/ui components)
- add contributor documentation (CONTRIBUTING, CODE_OF_CONDUCT,
  SECURITY, START-HERE, Documentation/)
- add CI workflow for lint and build on PRs
- switch from pnpm to bun
- add CLAUDE.md and AGENTS.md for AI assistant context
2026-01-21 23:02:18 -07:00

2.5 KiB
Raw Blame History

Security Policy

supported versions

Version Supported
latest yes

we only support the latest version deployed at https://fortura.cc.

reporting a vulnerability

please do not report security vulnerabilities through public github issues.

instead, email security@fortura.cc with:

  • description of the vulnerability
  • steps to reproduce
  • potential impact
  • suggested fix (if any)

what to include

  1. type of issue (e.g., XSS, CSRF, injection, auth bypass)
  2. location of the affected code (file path, URL, or component)
  3. reproduction steps - step-by-step instructions
  4. proof-of-concept - code or screenshots if possible
  5. impact - what an attacker could achieve

what to expect

  • acknowledgment: within 48 hours
  • initial assessment: within 7 days
  • fix timeline: within 30 days for critical issues

we'll keep you informed throughout the process and coordinate disclosure timing with you.

in-scope vulnerabilities

we're interested in:

  • authentication or authorization bypasses
  • injection vulnerabilities (SQL, command, etc.)
  • cross-site scripting (XSS)
  • cross-site request forgery (CSRF)
  • sensitive data exposure
  • server-side request forgery (SSRF)
  • insecure direct object references
  • security misconfigurations

out-of-scope

the following are generally not in scope:

  • denial of service attacks
  • spam or social engineering
  • issues in third-party dependencies (report to the upstream project)
  • theoretical vulnerabilities without proof-of-concept
  • issues requiring physical access to a user's device
  • self-XSS or issues requiring victim to paste code

safe harbor

we consider security research and vulnerability disclosure activities conducted consistent with this policy to be:

  • authorized concerning any applicable anti-hacking laws
  • authorized concerning any applicable anti-circumvention laws
  • exempt from restrictions in our terms of service that would interfere with conducting security research

we will not initiate legal action against researchers who:

  • act in good faith
  • avoid privacy violations, data destruction, and service interruption
  • report vulnerabilities promptly
  • give us reasonable time to address issues before disclosure

recognition

we appreciate responsible disclosure. if you'd like, we'll acknowledge your contribution:

  • credit in the security advisory
  • listing in our security acknowledgments (if we create one)

last updated: january 2026