From 633d9f149695e033e785ed509f4e56dd0fe50dfa Mon Sep 17 00:00:00 2001 From: lucaronin Date: Wed, 22 Apr 2026 20:46:24 +0200 Subject: [PATCH] Add security policy and private reporting guidance --- README.md | 4 ++++ SECURITY.md | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index d1062e90..c8d6b3ca 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,10 @@ pnpm tauri dev - πŸš€ [GETTING-STARTED.md](docs/GETTING-STARTED.md) β€” How to navigate the codebase - πŸ“š [ADRs](docs/adr) β€” Architecture Decision Records +## Security + +If you believe you have found a security issue, please report it privately as described in [SECURITY.md](./SECURITY.md). + ## License Tolaria is licensed under AGPL-3.0-or-later. The Tolaria name and logo remain covered by the project’s trademark policy. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..586b4da0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,55 @@ +# Security Policy + +Thanks for helping keep Tolaria safe. + +If you believe you have found a security vulnerability, **please do not open a public GitHub issue**. Report it privately instead. + +## Supported versions + +We currently support security fixes for: + +| Version | Supported | +| --- | --- | +| Latest stable release | βœ… | +| `main` branch | Best effort | +| Older releases / prereleases | ❌ | + +## Reporting a vulnerability + +Please email **luca@refactoring.club** with the subject line **`[Tolaria Security]`**. + +Include as much of the following as you can: + +- a short description of the issue +- reproduction steps or a proof of concept +- affected version / commit, if known +- impact assessment +- any suggested mitigation + +If the issue involves sensitive user data, credentials, or a working exploit, keep the report private and do not post details publicly. + +## What to expect + +We will try to: + +- acknowledge receipt within a few business days +- reproduce and assess the report +- work on a fix or mitigation if the issue is valid +- coordinate public disclosure after users have had a reasonable chance to update + +## Disclosure guidelines + +Please give us a reasonable amount of time to investigate and ship a fix before publishing details. + +We appreciate responsible disclosure and good-faith research. + +## Out of scope + +The following are generally out of scope unless they demonstrate a real security impact: + +- missing best-practice headers or hardening with no practical exploit +- self-XSS or editor behavior that requires unrealistic user actions +- reports that only affect unsupported old builds +- purely theoretical issues with no plausible attack path + +If you are unsure whether something qualifies, please still report it privately.