Cutlery/Kyoo
1
0
Fork 0
mirror of https://github.com/zoriya/Kyoo.git synced 2026-06-07 14:55:16 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
0d3582a879c83f3ba88c355cfeba747c2ea83751
Kyoo/SECURITY.md
T

87 lines
3.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Policy
## Supported Versions
Kyoo is maintained as an open-source project. Security fixes are generally provided for the latest released version and the current development branch.
| Version / Branch | Supported |
| ------------------------------------------ | -------------------------------------- |
| Latest release | Yes |
| `master` | Yes, when reproducible on current code |
| Older releases | Best effort |
| Unmaintained forks or modified deployments | No |
If you are unsure whether your version is affected, please include the version, commit hash, deployment method, and relevant configuration details in your report.
## Reporting a Vulnerability
Please do **not** report security vulnerabilities through public GitHub issues, pull requests, or discussions.
To report a vulnerability, please contact the maintainer privately using one of the following channels:
* Email: `zoe.roux@zoriya.dev`
* Discord: `@zoriya`
Email is preferred for detailed vulnerability reports, proof-of-concept material, logs, patches, or any information that should remain private.
Please include as much detail as possible to help us understand and reproduce the issue:
* A clear description of the vulnerability
* The affected component, route, endpoint, API, or feature
* Impact and realistic attack scenario
* Steps to reproduce
* Proof of concept, if available
* Affected version, commit hash, or Docker image tag
* Deployment details, such as reverse proxy, authentication setup, exposed services, and configuration
* Any suggested remediation or patch
We will acknowledge receipt of a valid report as soon as possible and will work with the reporter to validate the issue, develop a fix, and coordinate disclosure.
## Scope
Security issues may include, but are not limited to:
* Authentication or authorization bypass
* Privilege escalation
* Remote code execution
* Server-side request forgery
* Path traversal or arbitrary file access
* SQL injection or other injection vulnerabilities
* Cross-site scripting with meaningful security impact
* Exposure of secrets, tokens, or sensitive user data
* Vulnerabilities in the Docker deployment or default configuration
The following are generally out of scope unless they demonstrate a clear security impact:
* Missing security headers without an exploitable impact
* Denial-of-service issues requiring unrealistic resource exhaustion
* Vulnerabilities only affecting outdated, unsupported dependencies without a working exploit path in Kyoo
* Reports from automated scanners without validation
* Issues requiring physical access to the server
* Social engineering attacks
## Coordinated Disclosure
Please allow the maintainers reasonable time to investigate and address the issue before making details public.
We ask reporters to:
* Keep vulnerability details private until a fix or advisory is published
* Avoid accessing, modifying, or deleting other users data
* Avoid service disruption or destructive testing
* Provide enough information for maintainers to reproduce the issue safely
After the issue is fixed, the maintainers may publish a GitHub Security Advisory and credit the reporter, unless the reporter prefers to remain anonymous.
## Security Updates
Security fixes may be released as:
* A patched release
* A Docker image update
* A commit on the default branch
* A GitHub Security Advisory
* Documentation or configuration guidance, where appropriate
Users are encouraged to keep Kyoo and its dependencies up to date.
Reference in New Issue View Git Blame Copy Permalink