Skip to content

Security: ubclaunchpad/Piazza-AI-Plugin

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:

πŸ”’ Private Disclosure

DO NOT create a public GitHub issue for security vulnerabilities. Instead:

  1. Email us: Send details to [security@yourdomain.com] (replace with actual email)
  2. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if available)

⏱️ Response Timeline

  • Acknowledgment: Within 24 hours
  • Initial Assessment: Within 72 hours
  • Status Update: Weekly until resolved
  • Resolution: Target within 30 days for critical issues

πŸ›‘οΈ Security Best Practices for Contributors

Code Security

  • Never commit sensitive data (API keys, passwords, tokens)
  • Use environment variables for configuration
  • Validate all user inputs
  • Follow OWASP security guidelines
  • Use parameterized queries for database operations

Extension Security

  • Implement Content Security Policy (CSP)
  • Validate all external communications
  • Sanitize user-generated content
  • Use HTTPS for all API calls
  • Implement proper permission management

Backend Security

  • Use authentication and authorization
  • Implement rate limiting
  • Validate and sanitize inputs
  • Use secure headers
  • Keep dependencies updated

πŸ” Security Scanning

Our CI/CD pipeline includes:

  • Dependency vulnerability scanning (Trivy)
  • SAST (Static Application Security Testing)
  • Frontend/backend linting
  • Prettier Formatting
  • License compliance checking
  • Secret detection

πŸ“‹ Security Checklist for PRs

Before submitting a PR, ensure:

  • No hardcoded secrets or sensitive data
  • Input validation implemented
  • Authentication/authorization considered
  • Error messages don't leak sensitive information
  • Dependencies are up to date
  • Security tests added for new features

πŸ† Recognition

We appreciate security researchers and will:

  • Acknowledge your contribution (with permission)
  • Provide attribution in release notes
  • Consider a bug bounty for significant findings

πŸ“ž Contact

  • Security Email: [security@yourdomain.com]
  • Team Leads: Available for urgent security matters
  • Encrypted Communication: PGP key available on request

Thank you for helping keep our project secure!

There aren’t any published security advisories