3fa4d599fe
- CONTRIBUTING.md: contributor onboarding, conventional commit rules, local setup - CODE_OF_CONDUCT.md: adopts Contributor Covenant 2.1 by reference - SECURITY.md: vulnerability reporting via GitHub private advisories, scope boundaries - .github/ISSUE_TEMPLATE/config.yml: disables blank issues, links to discussions and Honcho upstream Lifts the GitHub community profile score from 57% toward 100%.
1.4 KiB
1.4 KiB
Security Policy
Supported Versions
OpenConcho follows semantic versioning via semantic-release. Only the latest minor release on main receives security fixes.
| Version | Supported |
|---|---|
| latest | ✅ |
| older | ❌ |
Reporting a Vulnerability
Please do not open public issues for security reports.
Use GitHub's private vulnerability reporting to file a report. Include:
- A description of the issue and its impact
- Steps to reproduce
- Affected version(s)
- Any mitigations you've identified
You should expect an acknowledgement within 72 hours and a fix or status update within 14 days.
Scope
OpenConcho is a frontend client. It stores connection config (base URL, optional token) in localStorage under the keys openconcho:config and openconcho:theme. It makes no network requests outside the Honcho instance you configure.
In-scope:
- XSS, CSRF, or other client-side vulnerabilities in the OpenConcho UI
- Token leakage from
localStorageto third parties - Build-toolchain supply-chain issues
Out of scope:
- Vulnerabilities in your own Honcho instance — report those upstream at plastic-labs/honcho
- Issues that require physical access to an unlocked device