@@ -2,32 +2,82 @@ |
| 2 | | 2 | |
| 3 | ## Reporting a vulnerability | 3 | ## Reporting a vulnerability |
| 4 | | 4 | |
| 5 | -shithub is pre-launch. The project does not yet have a dedicated security mailbox. For now, please open a private channel of communication with the maintainer (contact via GitHub) before disclosing publicly. | 5 | +Email **`security@shithub.example`**. PGP-encrypt the report |
| | 6 | +using the key fingerprint published at |
| | 7 | +`https://shithub.example/.well-known/pgp-key.asc` if your finding |
| | 8 | +is sensitive. |
| 6 | | 9 | |
| 7 | -Once shithub launches at its public domain, this policy will be updated with: | 10 | +The mailbox auto-acknowledges receipt within minutes. A human |
| | 11 | +response (initial assessment + next steps) follows within |
| | 12 | +**72 hours**. |
| 8 | | 13 | |
| 9 | -- A dedicated `security@<domain>` mailbox | 14 | +Please **do not** file public issues for security findings. |
| 10 | -- A PGP public key for sensitive reports | 15 | +Coordinated disclosure is the norm; we will credit you in the |
| 11 | -- A response-time SLO (target: 72 hours initial acknowledgement) | 16 | +hall of fame on resolution unless you ask not to be named. |
| 12 | -- A scope statement covering the hosted instance plus the self-hosted code | | |
| 13 | -- A coordinated-disclosure timeline | | |
| 14 | | 17 | |
| 15 | -## Out of scope (pre-launch) | 18 | +## Scope |
| 16 | | 19 | |
| 17 | -- Findings against unreleased / pre-launch builds in development environments | 20 | +In scope: |
| 18 | -- Issues that require a foothold the maintainer's machine to exploit | | |
| 19 | -- Theoretical findings without a working proof of concept | | |
| 20 | | 21 | |
| 21 | -## In scope (once launched) | 22 | +- The hosted shithub instance (`shithub.example`). |
| | 23 | +- The shithub source as published on GitHub |
| | 24 | + (`github.com/tenseleyFlow/shithub`), exploited against any |
| | 25 | + reasonably-deployed self-hosted instance running an unmodified |
| | 26 | + release tag. |
| 22 | | 27 | |
| 23 | -- Authentication / authorization bypasses | 28 | +Out of scope: |
| 24 | -- Server-side request forgery | | |
| 25 | -- Code injection (SQL, template, command, etc.) | | |
| 26 | -- Cross-site scripting and CSRF | | |
| 27 | -- Insecure cryptographic practices | | |
| 28 | -- Resource exhaustion / denial-of-service vectors | | |
| 29 | -- Information disclosure of private repo content | | |
| 30 | | 29 | |
| 31 | -## License | 30 | +- Findings against third-party services we depend on |
| | 31 | + (DigitalOcean, Postmark, Let's Encrypt). Report those to the |
| | 32 | + vendor. |
| | 33 | +- Misconfiguration of a self-hosted instance (e.g., operator |
| | 34 | + exposed `/metrics` without auth) — unless the misconfiguration |
| | 35 | + is the *default* of a current release. |
| | 36 | +- Rate-limit-bypass via heroic distributed-IP infrastructure — |
| | 37 | + outside the threat model |
| | 38 | + (`docs/internal/threat-model.md`). |
| | 39 | +- Issues that require physical access to the server. |
| | 40 | +- DoS via resource exhaustion that requires sustained heavy |
| | 41 | + traffic from many unique IPs. |
| | 42 | +- Best-practice findings without an exploit path (e.g., "you're |
| | 43 | + not setting `X-Permitted-Cross-Domain-Policies`") — file these |
| | 44 | + as regular issues. |
| 32 | | 45 | |
| 33 | -This document evolves with the project. See [LICENSE](LICENSE) for shithub's overall licensing terms. | 46 | +## Bug bounty |
| | 47 | + |
| | 48 | +shithub does not currently run a paid bounty program. We welcome |
| | 49 | +findings regardless and will publicly credit you. |
| | 50 | + |
| | 51 | +## Severity |
| | 52 | + |
| | 53 | +Coarse 4-level scale: |
| | 54 | + |
| | 55 | +| Severity | Examples | Target fix | |
| | 56 | +|----------|----------------------------------------------------------------|-----------:| |
| | 57 | +| Critical | RCE; auth bypass; mass-account-takeover; private-data leak | < 24h | |
| | 58 | +| High | Per-user privilege escalation; SSRF into internal infra | < 7d | |
| | 59 | +| Medium | Stored XSS limited to an attacker's own scope; CSRF on a non-destructive route | < 30d | |
| | 60 | +| Low | Information disclosure of non-sensitive data | best-effort | |
| | 61 | + |
| | 62 | +## What you'll receive |
| | 63 | + |
| | 64 | +- **Acknowledgement** within 72 hours (auto-ack faster). |
| | 65 | +- **Triage decision** — accepted, duplicate, out-of-scope, or |
| | 66 | + needs-more-info — within 7 days for High+ and 30 days for |
| | 67 | + Medium/Low. |
| | 68 | +- **Fix timeline** based on severity. |
| | 69 | +- **Coordinated disclosure** on patched release; we publish a |
| | 70 | + brief writeup naming you (with consent) and the affected |
| | 71 | + versions. |
| | 72 | + |
| | 73 | +## Hall of fame |
| | 74 | + |
| | 75 | +Reporters who responsibly disclosed accepted findings: |
| | 76 | + |
| | 77 | +*(Empty for now — first credit goes to the first reporter.)* |
| | 78 | + |
| | 79 | +## Our threat model |
| | 80 | + |
| | 81 | +Published at |
| | 82 | +[`docs/internal/threat-model.md`](./docs/internal/threat-model.md). |
| | 83 | +Useful context on what we defend against and what we don't. |
