shithub Public

Watch 1 Fork 0 Star 0

markdown · 1263 bytes Raw Blame History

Security policy

Reporting a vulnerability

shithub is pre-launch. The project does not yet have a dedicated security mailbox. For now, please open a private channel of communication with the maintainer (contact via GitHub) before disclosing publicly.

Once shithub launches at its public domain, this policy will be updated with:

A dedicated security@<domain> mailbox
A PGP public key for sensitive reports
A response-time SLO (target: 72 hours initial acknowledgement)
A scope statement covering the hosted instance plus the self-hosted code
A coordinated-disclosure timeline

Out of scope (pre-launch)

Findings against unreleased / pre-launch builds in development environments
Issues that require a foothold the maintainer's machine to exploit
Theoretical findings without a working proof of concept

In scope (once launched)

Authentication / authorization bypasses
Server-side request forgery
Code injection (SQL, template, command, etc.)
Cross-site scripting and CSRF
Insecure cryptographic practices
Resource exhaustion / denial-of-service vectors
Information disclosure of private repo content

License

This document evolves with the project. See LICENSE for shithub's overall licensing terms.

View source

  
        1
        # Security policy
      
        2
        
        3
        ## Reporting a vulnerability
      
        4
        
        5
        shithub is pre-launch. The project does not yet have a dedicated security mailbox. For now, please open a private channel of communication with the maintainer (contact via GitHub) before disclosing publicly.
      
        6
        
        7
        Once shithub launches at its public domain, this policy will be updated with:
      
        8
        
        9
        - A dedicated `security@<domain>` mailbox
      
        10
        - A PGP public key for sensitive reports
      
        11
        - A response-time SLO (target: 72 hours initial acknowledgement)
      
        12
        - A scope statement covering the hosted instance plus the self-hosted code
      
        13
        - A coordinated-disclosure timeline
      
        14
        
        15
        ## Out of scope (pre-launch)
      
        16
        
        17
        - Findings against unreleased / pre-launch builds in development environments
      
        18
        - Issues that require a foothold the maintainer's machine to exploit
      
        19
        - Theoretical findings without a working proof of concept
      
        20
        
        21
        ## In scope (once launched)
      
        22
        
        23
        - Authentication / authorization bypasses
      
        24
        - Server-side request forgery
      
        25
        - Code injection (SQL, template, command, etc.)
      
        26
        - Cross-site scripting and CSRF
      
        27
        - Insecure cryptographic practices
      
        28
        - Resource exhaustion / denial-of-service vectors
      
        29
        - Information disclosure of private repo content
      
        30
        
        31
        ## License
      
        32
        
        33
        This document evolves with the project. See [LICENSE](LICENSE) for shithub's overall licensing terms.

1	# Security policy
2
3	## Reporting a vulnerability
4
5	shithub is pre-launch. The project does not yet have a dedicated security mailbox. For now, please open a private channel of communication with the maintainer (contact via GitHub) before disclosing publicly.
6
7	Once shithub launches at its public domain, this policy will be updated with:
8
9	- A dedicated `security@<domain>` mailbox
10	- A PGP public key for sensitive reports
11	- A response-time SLO (target: 72 hours initial acknowledgement)
12	- A scope statement covering the hosted instance plus the self-hosted code
13	- A coordinated-disclosure timeline
14
15	## Out of scope (pre-launch)
16
17	- Findings against unreleased / pre-launch builds in development environments
18	- Issues that require a foothold the maintainer's machine to exploit
19	- Theoretical findings without a working proof of concept
20
21	## In scope (once launched)
22
23	- Authentication / authorization bypasses
24	- Server-side request forgery
25	- Code injection (SQL, template, command, etc.)
26	- Cross-site scripting and CSRF
27	- Insecure cryptographic practices
28	- Resource exhaustion / denial-of-service vectors
29	- Information disclosure of private repo content
30
31	## License
32
33	This document evolves with the project. See [LICENSE](LICENSE) for shithub's overall licensing terms.