37 lines
1.2 KiB
Markdown
37 lines
1.2 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
If you discover a security vulnerability in this project, please report it responsibly.
|
|
|
|
**Do not open a public issue.** Instead:
|
|
|
|
1. Email: **[your-security-email@example.com]** (replace with your contact)
|
|
2. Or use [GitHub private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability) if enabled on this repository.
|
|
|
|
### What to include
|
|
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Suggested fix (if any)
|
|
|
|
### Response timeline
|
|
|
|
- **Acknowledgment:** within 48 hours
|
|
- **Assessment:** within 7 days
|
|
- **Fix or mitigation:** depends on severity
|
|
|
|
## Security Practices
|
|
|
|
This project follows security best practices documented in:
|
|
|
|
- `docs/backend/security.md` — authentication, authorization, audit logging
|
|
- `docs/llm/safety.md` — LLM safety, prompt injection defense, privacy
|
|
- `RULES.md` — repository-wide security constraints
|
|
- `agents/security-auditor.md` — security review agent profile
|
|
|
|
## Scope
|
|
|
|
This policy applies to the codebase in this repository. Third-party dependencies are managed separately.
|