|
| 1 | +# Security policy |
| 2 | + |
| 3 | +Thank you for taking the time to look at the security of TimeTrackerAPI. |
| 4 | +The project mirrors on both [GitHub](https://github.com/CryptoJones/TimeTrackerAPI) |
| 5 | +and [Codeberg](https://codeberg.org/CryptoJones/TimeTrackerAPI); either |
| 6 | +forge is a valid place to reach us. |
| 7 | + |
| 8 | +## Supported versions |
| 9 | + |
| 10 | +This is a single-track project. Security fixes land on `master` only; |
| 11 | +there are no maintained release branches. Operators deploying from a |
| 12 | +tagged release should bump to the latest tag (or `master`) when a |
| 13 | +vulnerability lands, then re-deploy. |
| 14 | + |
| 15 | +## Reporting a vulnerability |
| 16 | + |
| 17 | +**Please do NOT open a public issue for a security vulnerability.** |
| 18 | + |
| 19 | +Instead, use one of these channels: |
| 20 | + |
| 21 | +- **GitHub:** open a private vulnerability report via |
| 22 | + [GitHub Security Advisories](https://github.com/CryptoJones/TimeTrackerAPI/security/advisories/new). |
| 23 | + This is the preferred path for anything that warrants a CVE. |
| 24 | +- **Codeberg:** post a private message to `@CryptoJones` (the repo |
| 25 | + owner) and include the word `SECURITY` in the subject line. |
| 26 | +- **Email:** as a last resort, send the report to the email address |
| 27 | + listed on the maintainer's GitHub profile, with `[security]` in the |
| 28 | + subject line. |
| 29 | + |
| 30 | +We aim to: |
| 31 | + |
| 32 | +- **Acknowledge** receipt within **3 business days**. |
| 33 | +- **Triage** (confirm + assign a severity) within **7 business days**. |
| 34 | +- **Ship a fix or mitigation** within **30 days** for high/critical |
| 35 | + issues; lower severities are best-effort. |
| 36 | + |
| 37 | +Please include in your report: |
| 38 | + |
| 39 | +- A clear description of the vulnerability and its impact. |
| 40 | +- Steps to reproduce (or a proof-of-concept payload). |
| 41 | +- Affected commit / tag, if you can identify one. |
| 42 | +- Your preferred attribution name + link for the changelog credit |
| 43 | + (or "anonymous" if you'd rather we not name you). |
| 44 | + |
| 45 | +## What's in scope |
| 46 | + |
| 47 | +- The HTTP API in `app/` and `server.js`. |
| 48 | +- The Sequelize models and migrations in `app/models/` and |
| 49 | + `app/migrations/`. |
| 50 | +- The default Docker / docker-compose configuration in the repo root. |
| 51 | +- The dependency tree in `package.json` (we run `npm audit` on |
| 52 | + production deps in CI; a high/critical advisory against a deployed |
| 53 | + dependency is in scope even if our code doesn't trigger the bug). |
| 54 | + |
| 55 | +## What's out of scope |
| 56 | + |
| 57 | +- Vulnerabilities that require the operator to deliberately mis-configure |
| 58 | + the deployment (e.g., `RATE_LIMIT_MAX=0` on a public endpoint, or |
| 59 | + running the server as root inside the container). |
| 60 | +- Findings that depend on the operator running a fork with material |
| 61 | + modifications. |
| 62 | +- DoS via cost-amplification on a non-rate-limited route the operator |
| 63 | + has explicitly mounted (e.g., a custom `/admin/*` endpoint outside |
| 64 | + this repo's surface). |
| 65 | +- Issues in third-party dependencies that have already been disclosed |
| 66 | + upstream and don't have a fix available — please report those |
| 67 | + upstream and link us to the tracking issue. |
| 68 | + |
| 69 | +## Public disclosure timeline |
| 70 | + |
| 71 | +Once a fix has landed on `master` and an advisory has been published, |
| 72 | +we'll credit the reporter (unless they asked otherwise) and reference |
| 73 | +the GitHub Security Advisory ID in the changelog entry. We coordinate |
| 74 | +disclosure timing with the reporter when the issue is severe enough |
| 75 | +to warrant a heads-up to known deployers. |
| 76 | + |
| 77 | +Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/ |
0 commit comments