@@ -2,32 +2,82 @@ |
| 2 | 2 | |
| 3 | 3 | ## Reporting a vulnerability |
| 4 | 4 | |
| 5 | | -shithub is pre-launch. The project does not yet have a dedicated security mailbox. For now, please open a private channel of communication with the maintainer (contact via GitHub) before disclosing publicly. |
| 5 | +Email **`security@shithub.example`**. PGP-encrypt the report |
| 6 | +using the key fingerprint published at |
| 7 | +`https://shithub.example/.well-known/pgp-key.asc` if your finding |
| 8 | +is sensitive. |
| 6 | 9 | |
| 7 | | -Once shithub launches at its public domain, this policy will be updated with: |
| 10 | +The mailbox auto-acknowledges receipt within minutes. A human |
| 11 | +response (initial assessment + next steps) follows within |
| 12 | +**72 hours**. |
| 8 | 13 | |
| 9 | | -- A dedicated `security@<domain>` mailbox |
| 10 | | -- A PGP public key for sensitive reports |
| 11 | | -- A response-time SLO (target: 72 hours initial acknowledgement) |
| 12 | | -- A scope statement covering the hosted instance plus the self-hosted code |
| 13 | | -- A coordinated-disclosure timeline |
| 14 | +Please **do not** file public issues for security findings. |
| 15 | +Coordinated disclosure is the norm; we will credit you in the |
| 16 | +hall of fame on resolution unless you ask not to be named. |
| 14 | 17 | |
| 15 | | -## Out of scope (pre-launch) |
| 18 | +## Scope |
| 16 | 19 | |
| 17 | | -- Findings against unreleased / pre-launch builds in development environments |
| 18 | | -- Issues that require a foothold the maintainer's machine to exploit |
| 19 | | -- Theoretical findings without a working proof of concept |
| 20 | +In scope: |
| 20 | 21 | |
| 21 | | -## In scope (once launched) |
| 22 | +- The hosted shithub instance (`shithub.example`). |
| 23 | +- The shithub source as published on GitHub |
| 24 | + (`github.com/tenseleyFlow/shithub`), exploited against any |
| 25 | + reasonably-deployed self-hosted instance running an unmodified |
| 26 | + release tag. |
| 22 | 27 | |
| 23 | | -- Authentication / authorization bypasses |
| 24 | | -- Server-side request forgery |
| 25 | | -- Code injection (SQL, template, command, etc.) |
| 26 | | -- Cross-site scripting and CSRF |
| 27 | | -- Insecure cryptographic practices |
| 28 | | -- Resource exhaustion / denial-of-service vectors |
| 29 | | -- Information disclosure of private repo content |
| 28 | +Out of scope: |
| 30 | 29 | |
| 31 | | -## License |
| 30 | +- Findings against third-party services we depend on |
| 31 | + (DigitalOcean, Postmark, Let's Encrypt). Report those to the |
| 32 | + vendor. |
| 33 | +- Misconfiguration of a self-hosted instance (e.g., operator |
| 34 | + exposed `/metrics` without auth) — unless the misconfiguration |
| 35 | + is the *default* of a current release. |
| 36 | +- Rate-limit-bypass via heroic distributed-IP infrastructure — |
| 37 | + outside the threat model |
| 38 | + (`docs/internal/threat-model.md`). |
| 39 | +- Issues that require physical access to the server. |
| 40 | +- DoS via resource exhaustion that requires sustained heavy |
| 41 | + traffic from many unique IPs. |
| 42 | +- Best-practice findings without an exploit path (e.g., "you're |
| 43 | + not setting `X-Permitted-Cross-Domain-Policies`") — file these |
| 44 | + as regular issues. |
| 32 | 45 | |
| 33 | | -This document evolves with the project. See [LICENSE](LICENSE) for shithub's overall licensing terms. |
| 46 | +## Bug bounty |
| 47 | + |
| 48 | +shithub does not currently run a paid bounty program. We welcome |
| 49 | +findings regardless and will publicly credit you. |
| 50 | + |
| 51 | +## Severity |
| 52 | + |
| 53 | +Coarse 4-level scale: |
| 54 | + |
| 55 | +| Severity | Examples | Target fix | |
| 56 | +|----------|----------------------------------------------------------------|-----------:| |
| 57 | +| Critical | RCE; auth bypass; mass-account-takeover; private-data leak | < 24h | |
| 58 | +| High | Per-user privilege escalation; SSRF into internal infra | < 7d | |
| 59 | +| Medium | Stored XSS limited to an attacker's own scope; CSRF on a non-destructive route | < 30d | |
| 60 | +| Low | Information disclosure of non-sensitive data | best-effort | |
| 61 | + |
| 62 | +## What you'll receive |
| 63 | + |
| 64 | +- **Acknowledgement** within 72 hours (auto-ack faster). |
| 65 | +- **Triage decision** — accepted, duplicate, out-of-scope, or |
| 66 | + needs-more-info — within 7 days for High+ and 30 days for |
| 67 | + Medium/Low. |
| 68 | +- **Fix timeline** based on severity. |
| 69 | +- **Coordinated disclosure** on patched release; we publish a |
| 70 | + brief writeup naming you (with consent) and the affected |
| 71 | + versions. |
| 72 | + |
| 73 | +## Hall of fame |
| 74 | + |
| 75 | +Reporters who responsibly disclosed accepted findings: |
| 76 | + |
| 77 | +*(Empty for now — first credit goes to the first reporter.)* |
| 78 | + |
| 79 | +## Our threat model |
| 80 | + |
| 81 | +Published at |
| 82 | +[`docs/internal/threat-model.md`](./docs/internal/threat-model.md). |
| 83 | +Useful context on what we defend against and what we don't. |
