3fa4d599fe
- CONTRIBUTING.md: contributor onboarding, conventional commit rules, local setup - CODE_OF_CONDUCT.md: adopts Contributor Covenant 2.1 by reference - SECURITY.md: vulnerability reporting via GitHub private advisories, scope boundaries - .github/ISSUE_TEMPLATE/config.yml: disables blank issues, links to discussions and Honcho upstream Lifts the GitHub community profile score from 57% toward 100%.
37 lines
1.4 KiB
Markdown
37 lines
1.4 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
OpenConcho follows semantic versioning via [semantic-release](https://semantic-release.gitbook.io/). Only the latest minor release on `main` receives security fixes.
|
|
|
|
| Version | Supported |
|
|
|---------|-----------|
|
|
| latest | ✅ |
|
|
| older | ❌ |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Please do not open public issues for security reports.**
|
|
|
|
Use GitHub's [private vulnerability reporting](https://github.com/offendingcommit/openconcho/security/advisories/new) to file a report. Include:
|
|
|
|
- A description of the issue and its impact
|
|
- Steps to reproduce
|
|
- Affected version(s)
|
|
- Any mitigations you've identified
|
|
|
|
You should expect an acknowledgement within 72 hours and a fix or status update within 14 days.
|
|
|
|
## Scope
|
|
|
|
OpenConcho is a frontend client. It stores connection config (`base URL`, optional `token`) in `localStorage` under the keys `openconcho:config` and `openconcho:theme`. It makes no network requests outside the Honcho instance you configure.
|
|
|
|
In-scope:
|
|
- XSS, CSRF, or other client-side vulnerabilities in the OpenConcho UI
|
|
- Token leakage from `localStorage` to third parties
|
|
- Build-toolchain supply-chain issues
|
|
|
|
Out of scope:
|
|
- Vulnerabilities in your own Honcho instance — report those upstream at [plastic-labs/honcho](https://github.com/plastic-labs/honcho)
|
|
- Issues that require physical access to an unlocked device
|