From bb0d4b09108ade349cb4102d31fe672d91106a7e Mon Sep 17 00:00:00 2001 From: Max Randhahn <49589091+maajix@users.noreply.github.com> Date: Fri, 29 May 2026 10:14:57 +0200 Subject: [PATCH] Enhance security policy with reporting and disclosure details (#1516) --- SECURITY.md | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..9a1bbbc6 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,86 @@ +# Security Policy + +## Supported Versions + +Kyoo is maintained as an open-source project. Security fixes are generally provided for the latest released version and the current development branch. + +| Version / Branch | Supported | +| ------------------------------------------ | -------------------------------------- | +| Latest release | Yes | +| `master` | Yes, when reproducible on current code | +| Older releases | Best effort | +| Unmaintained forks or modified deployments | No | + +If you are unsure whether your version is affected, please include the version, commit hash, deployment method, and relevant configuration details in your report. + +## Reporting a Vulnerability + +Please do **not** report security vulnerabilities through public GitHub issues, pull requests, or discussions. + +To report a vulnerability, please contact the maintainer privately using one of the following channels: + +* Email: `zoe.roux@zoriya.dev` +* Discord: `@zoriya` + +Email is preferred for detailed vulnerability reports, proof-of-concept material, logs, patches, or any information that should remain private. + +Please include as much detail as possible to help us understand and reproduce the issue: + +* A clear description of the vulnerability +* The affected component, route, endpoint, API, or feature +* Impact and realistic attack scenario +* Steps to reproduce +* Proof of concept, if available +* Affected version, commit hash, or Docker image tag +* Deployment details, such as reverse proxy, authentication setup, exposed services, and configuration +* Any suggested remediation or patch + +We will acknowledge receipt of a valid report as soon as possible and will work with the reporter to validate the issue, develop a fix, and coordinate disclosure. + +## Scope + +Security issues may include, but are not limited to: + +* Authentication or authorization bypass +* Privilege escalation +* Remote code execution +* Server-side request forgery +* Path traversal or arbitrary file access +* SQL injection or other injection vulnerabilities +* Cross-site scripting with meaningful security impact +* Exposure of secrets, tokens, or sensitive user data +* Vulnerabilities in the Docker deployment or default configuration + +The following are generally out of scope unless they demonstrate a clear security impact: + +* Missing security headers without an exploitable impact +* Denial-of-service issues requiring unrealistic resource exhaustion +* Vulnerabilities only affecting outdated, unsupported dependencies without a working exploit path in Kyoo +* Reports from automated scanners without validation +* Issues requiring physical access to the server +* Social engineering attacks + +## Coordinated Disclosure + +Please allow the maintainers reasonable time to investigate and address the issue before making details public. + +We ask reporters to: + +* Keep vulnerability details private until a fix or advisory is published +* Avoid accessing, modifying, or deleting other users’ data +* Avoid service disruption or destructive testing +* Provide enough information for maintainers to reproduce the issue safely + +After the issue is fixed, the maintainers may publish a GitHub Security Advisory and credit the reporter, unless the reporter prefers to remain anonymous. + +## Security Updates + +Security fixes may be released as: + +* A patched release +* A Docker image update +* A commit on the default branch +* A GitHub Security Advisory +* Documentation or configuration guidance, where appropriate + +Users are encouraged to keep Kyoo and its dependencies up to date.