Replace entire codebase with homarr-labs/homarr
This commit is contained in:
Thomas Camlong
33
SECURITY.md
33
SECURITY.md
@@ -1,18 +1,29 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
Only the following versions will receive updates, that include improvements to the security:
|
||||
This policy is relevant if you found potential vulnerabilities in an audit.
|
||||
We consider something as a vulnerability if it...
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 0.13 | :white_check_mark: |
|
||||
| <=0.12 | :x: |
|
||||
1. puts users or user data at risk
|
||||
2. enables third parties to gain control or access (e.g. [RATs](https://en.wikipedia.org/wiki/Remote_desktop_software#RAT), [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation), ...)
|
||||
3. abuses the system in an unintended way (e.g. crypto mining, proxy, ...)
|
||||
|
||||
## Supported Versions
|
||||
|
||||
We only fix security issues in the [latest stable version](https://github.com/homarr-labs/homarr/releases/latest). Meaning security issues in prior versions will not be fixed and users have to upgrade to the latest version to receive them.
|
||||
|
||||
## Reporting a Vulnerability
|
||||
We take security issues very seriously.
|
||||
When you found a security issue, please ask yourself the following question:
|
||||
|
||||
**Would this be publicly disclosed, could it cause any problems or harm to any Homarr instances or individuals?**
|
||||
We use [GitHub's system for reporting vulnerabilities](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory).
|
||||
Click [**here to report an advisory**](https://github.com/homarr-labs/homarr/security/advisories/new). Our team will get notified and will get back to you within 1-6 business days.
|
||||
|
||||
If the answer to that question is yes, please contact us immideatly using [this link](https://homarr.dev/docs/community/get-in-touch). E-Mail is preferred, but you can write ``manicraft1001`` or ``ajnart`` on Discord as well.
|
||||
If the answer is no, please create a public visible issue: [Vulnerability](https://github.com/ajnart/homarr/issues/new?assignees=&labels=%F0%9F%90%9B+Bug&projects=&template=bug.yml&title=)
|
||||
As a general guideline; please provide as much detail as possible and provide reproduction steps / documentation regarding the re-creation.
|
||||
You may also provide a fork with a fix for the vulnerability.
|
||||
See https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html for guidelines regarding disclosure.
|
||||
|
||||
If you're unable / unwilling (or it's not safe) to disclose vulnerabilites via GitHub, please report them with the subject "Security advisory - CVEXXX" to our email homarr-labs@proton.me.
|
||||
Please never disclose security vulnerabilits on your own publicly - we'd like to search for a dimplomatic solution that is also safe for our users.
|
||||
|
||||
In your initial contact with us, please provide details according to the [OWASP guidelines for initial reports](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#initial-report).
|
||||
|
||||
Thank you!
|
||||
We're looking forward to your report
|
||||
|
||||
Reference in New Issue
Block a user