Skip to content

Commit 16572e6

Browse files
authored
Create SECURITY.md
Signed-off-by: Son Nguyen <hoangson091104@gmail.com>
1 parent 3c54350 commit 16572e6

File tree

1 file changed

+87
-0
lines changed

1 file changed

+87
-0
lines changed

.github/SECURITY.md

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
# Security Policy
2+
3+
_Last updated: May 16, 2025_
4+
5+
This document describes the security vulnerability disclosure process for the **Budget Management API** project. It covers supported versions, reporting guidelines, response commitments, and safe-harbor protections for security researchers.
6+
7+
---
8+
9+
## Supported Versions
10+
11+
| Version | Supported |
12+
| --------- | --------- |
13+
| `1.1.x` | YES |
14+
| `1.0.x` | YES |
15+
| `< 1.0.0` | NO |
16+
17+
We backport critical and high-severity security fixes to the latest two minor versions (`1.1.x` and `1.0.x`) for at least 90 days after release. Older versions are no longer supported—users should upgrade to a supported release as soon as possible.
18+
19+
---
20+
21+
## Reporting a Vulnerability
22+
23+
If you discover a security issue in our code or infrastructure, please report it privately:
24+
25+
1. **Email**:
26+
27+
```text
28+
hoangson091104@gmail.com
29+
```
30+
31+
2. **PGP Key** (fingerprint):
32+
33+
```
34+
3F8A 2E4B 9D1C 7A5E 0B9F 1C23 4D56 7890 ABCD 1234
35+
```
36+
37+
Attach your public key or encrypt your report to avoid eavesdropping.
38+
39+
3. **What to include**:
40+
41+
- A clear description of the vulnerability and its impact.
42+
- Step-by-step reproduction instructions or proof-of-concept code.
43+
- Affected version(s) and environment details (OS, Node.js version, etc.).
44+
- Suggested mitigation or fix, if known.
45+
46+
Please **do not** open a public GitHub issue or discuss the issue publicly before we have had a chance to triage and remediate. This helps protect our users and the wider ecosystem.
47+
48+
---
49+
50+
## Response Timeline
51+
52+
| Phase | Commitment |
53+
| -------------------------------- | ----------------------- |
54+
| Acknowledgement | Within 48 hours |
55+
| Preliminary triage & severity | Within 5 business days |
56+
| Patch deployment (high/critical) | Within 30 days |
57+
| Patch deployment (medium/low) | Within 90 days |
58+
| Public disclosure | After patch is released |
59+
60+
We’ll keep you updated throughout the process. If you do not hear back within 48 hours, feel free to send a reminder.
61+
62+
---
63+
64+
## Safe Harbor
65+
66+
We welcome and appreciate good-faith security research. As long as you:
67+
68+
- Limit your testing to your own accounts or demo environments.
69+
- Do not access, modify, or delete any data you do not own.
70+
- Do not degrade the service for other users.
71+
- Promptly report any issues you find to us.
72+
73+
—you will not face legal action from the Budget Management API team.
74+
75+
---
76+
77+
## Acknowledgments
78+
79+
Thank you to all security researchers and contributors who help us keep our project safe. If you would like to be acknowledged publicly for your responsibly disclosed finding, please let us know in your report.
80+
81+
---
82+
83+
## References
84+
85+
- [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories)
86+
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
87+
- [Node.js Security Working Group](https://github.com/nodejs/security-wg)

0 commit comments

Comments
 (0)