Procházet zdrojové kódy

Merge pull request #267 from eddieran/chore/security-policy

chore: add SECURITY.md (private vulnerability reporting policy)
MaxKey před 1 dnem
rodič
revize
6681d19bf1
1 změnil soubory, kde provedl 63 přidání a 0 odebrání
  1. 63 0
      SECURITY.md

+ 63 - 0
SECURITY.md

@@ -0,0 +1,63 @@
+# Security Policy
+
+Thanks for helping keep MaxKey and the wider [dromara](https://github.com/dromara) ecosystem secure.
+
+## Reporting a vulnerability
+
+**Please do not open a public issue, discussion, or pull request that describes a suspected vulnerability** — that gives attackers a head-start before a fix lands.
+
+Use one of these private channels instead:
+
+1. **GitHub's Private Vulnerability Reporting (preferred).**
+   Open a private security advisory at <https://github.com/dromara/MaxKey/security/advisories/new>.
+   GitHub automatically routes it to the maintainers, keeps the discussion private until you and the maintainers agree to publish, and (optionally) assigns a CVE on publish.
+
+2. **Email.**
+   If GitHub PVR is unavailable to you for any reason, email the project lead directly. Maintainers should add the preferred email here when they configure the policy.
+
+## What to include
+
+A good report contains:
+
+- A clear description of the vulnerability and its impact.
+- Steps to reproduce against a specific commit SHA or release tag.
+- Affected code locations (`file:line`) where useful.
+- A suggested fix or mitigation if you have one.
+- Whether you'd like credit in the published advisory and, if so, under what name.
+
+## Scope and supported versions
+
+MaxKey is an enterprise-grade Identity and Access Management (IAM) and Single Sign-On (SSO) platform supporting SAML, OAuth2, OIDC, CAS, JWT, and more. The maintainers support security fixes on the latest minor release. Older releases will not generally receive backports.
+
+In-scope vulnerability classes include:
+
+- Authentication / authorization bypass
+- SSO redirect / open-redirect / ticket exfiltration
+- SAML / OAuth2 / OIDC / CAS protocol implementation flaws
+- JWT / token signature / claims handling flaws
+- Session fixation, password-reset / MFA bypass
+- SSRF in identity-provider metadata fetching
+- Cryptographic misuse in stored secrets / signing keys / passwords
+
+Out-of-scope:
+
+- Findings against intentionally trusted-admin features (e.g. admin-only configuration interfaces).
+- Issues that require an attacker to already have full database / server access.
+- Best-practice complaints without a concrete impact (e.g. "this header should be set", "TLS version should be raised").
+
+## Process
+
+After you submit:
+
+1. A maintainer will acknowledge receipt within roughly 1 week.
+2. We'll triage the report: confirm severity, scope, and reproducibility.
+3. We'll work with you on a fix and a coordinated disclosure timeline (typically up to 90 days, longer if the fix is structural).
+4. On publication, we credit you in the advisory unless you ask not to be credited.
+
+## Hall of fame
+
+Reporters who have helped harden MaxKey via responsible disclosure will be listed here once the corresponding advisory is published.
+
+---
+
+This policy is suggested via [GitHub's "Suggest a security policy" workflow](https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository). Maintainers can edit any section freely; the most important thing is that **a private reporting channel exists** so researchers can submit findings responsibly.