openconcho/SECURITY.md

# Security Policy

## Supported Versions

OpenConcho follows semantic versioning via [semantic-release](https://semantic-release.gitbook.io/). Only the latest minor release on `main` receives security fixes.

| Version | Supported |
|---------|-----------|
| latest  | ✅        |
| older   | ❌        |

## Reporting a Vulnerability

**Please do not open public issues for security reports.**

Use GitHub's [private vulnerability reporting](https://github.com/offendingcommit/openconcho/security/advisories/new) to file a report. Include:

- A description of the issue and its impact
- Steps to reproduce
- Affected version(s)
- Any mitigations you've identified

You should expect an acknowledgement within 72 hours and a fix or status update within 14 days.

## Scope

OpenConcho is a frontend client. It stores connection config (`base URL`, optional `token`) in `localStorage` under the keys `openconcho:config` and `openconcho:theme`. It makes no network requests outside the Honcho instance you configure.

In-scope:
- XSS, CSRF, or other client-side vulnerabilities in the OpenConcho UI
- Token leakage from `localStorage` to third parties
- Build-toolchain supply-chain issues

Out of scope:
- Vulnerabilities in your own Honcho instance — report those upstream at [plastic-labs/honcho](https://github.com/plastic-labs/honcho)
- Issues that require physical access to an unlocked device
docs: add OSS community health files - CONTRIBUTING.md: contributor onboarding, conventional commit rules, local setup - CODE_OF_CONDUCT.md: adopts Contributor Covenant 2.1 by reference - SECURITY.md: vulnerability reporting via GitHub private advisories, scope boundaries - .github/ISSUE_TEMPLATE/config.yml: disables blank issues, links to discussions and Honcho upstream Lifts the GitHub community profile score from 57% toward 100%. 2026-05-01 09:57:57 -05:00			`# Security Policy`

			`## Supported Versions`

			OpenConcho follows semantic versioning via [semantic-release](https://semantic-release.gitbook.io/). Only the latest minor release on `main` receives security fixes.

			`\| Version \| Supported \|`
			`\|---------\|-----------\|`
			`\| latest \| ✅ \|`
			`\| older \| ❌ \|`

			`## Reporting a Vulnerability`

			`Please do not open public issues for security reports.`

			`Use GitHub's [private vulnerability reporting](https://github.com/offendingcommit/openconcho/security/advisories/new) to file a report. Include:`

			`- A description of the issue and its impact`
			`- Steps to reproduce`
			`- Affected version(s)`
			`- Any mitigations you've identified`

			`You should expect an acknowledgement within 72 hours and a fix or status update within 14 days.`

			`## Scope`

			OpenConcho is a frontend client. It stores connection config (`base URL`, optional `token`) in `localStorage` under the keys `openconcho:config` and `openconcho:theme`. It makes no network requests outside the Honcho instance you configure.

			`In-scope:`
			`- XSS, CSRF, or other client-side vulnerabilities in the OpenConcho UI`
			- Token leakage from `localStorage` to third parties
			`- Build-toolchain supply-chain issues`

			`Out of scope:`
			`- Vulnerabilities in your own Honcho instance — report those upstream at [plastic-labs/honcho](https://github.com/plastic-labs/honcho)`
			`- Issues that require physical access to an unlocked device`