From 29e9a7041522a4b1d5982ff745e8e2db5f523c6a Mon Sep 17 00:00:00 2001 From: Aryan Gupta <148983503+aryanguptacsvtu@users.noreply.github.com> Date: Sat, 18 Oct 2025 09:41:51 +0530 Subject: [PATCH 1/2] SECURITY.md --- SECURITY.md | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..9cf2e8d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,67 @@ +# πŸ›‘οΈ Security Policy + +## πŸ“Œ Supported Versions + +We aim to keep `SysMood` up to date and secure. Please see below for the versions we currently support with security updates. + +| Version | Supported | +|---------|--------------------| +| Latest | βœ… Yes | +| Older | ❌ No | + +--- + +## πŸ“¬ Reporting a Vulnerability + +If you discover a security vulnerability, **please do not open an issue** on GitHub. + +Instead, follow these steps: + +1. **Email the maintainer directly** +2. Include the following details: + - Description of the vulnerability + - Steps to reproduce (if possible) + - Potential impact + - Any mitigation or workaround suggestions + +βŒ› We aim to respond to security reports **within 72 hours**. + +--- + +## 🚫 Responsible Disclosure Guidelines + +We ask that you: +- Do not publicly disclose the issue until it has been resolved. +- Avoid testing vulnerabilities in a way that could disrupt services. +- Act in good faith and with respect for user data and privacy. + +--- + +## πŸ“ƒ Disclosure Policy + +- We follow a **coordinated disclosure** approach. +- We appreciate responsible reporting and will publicly disclose the issue only **after a fix has been released**. + +--- + +## βœ… Security Best Practices + +While using this project, we recommend you: + +- Always run software in a secure and isolated environment. +- Keep your dependencies up to date. +- Avoid sharing sensitive API keys or credentials in `.env` or other public files. + +--- + +## πŸ™ Acknowledgments + +We value the contributions from the community and encourage responsible disclosure to help keep `SysMood` safe and secure for all users. + +--- + +## πŸ”’ Resources + +- [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories) +- [OpenSSF Best Practices](https://bestpractices.dev/) +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) From e0e96679450298b7147556ed5ba14c2cf609416c Mon Sep 17 00:00:00 2001 From: Aryan Gupta <148983503+aryanguptacsvtu@users.noreply.github.com> Date: Sat, 25 Oct 2025 10:33:55 +0530 Subject: [PATCH 2/2] Update SECURITY.md Updated the Security Policy document to improve clarity and organization, including sections on supported versions, vulnerability reporting, responsible disclosure, and security best practices. --- SECURITY.md | 110 +++++++++++++++++++++++++++++++++++----------------- 1 file changed, 75 insertions(+), 35 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9cf2e8d..8be73f2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,67 +1,107 @@ -# πŸ›‘οΈ Security Policy +# Security Policy -## πŸ“Œ Supported Versions +This document outlines how security vulnerabilities should be reported, handled, and disclosed for **SysMood**. -We aim to keep `SysMood` up to date and secure. Please see below for the versions we currently support with security updates. +--- + +## Supported Versions + +We actively maintain only the **latest stable release** of SysMood. +Older versions do **not** receive security patches. + +| Version | Supported | +|----------|------------| +| Latest | Yes | +| Older releases | No | -| Version | Supported | -|---------|--------------------| -| Latest | βœ… Yes | -| Older | ❌ No | +Please upgrade to the latest version before reporting any issues. --- -## πŸ“¬ Reporting a Vulnerability +## Reporting a Vulnerability + +If you discover a vulnerability or security risk in SysMood, **do not open a public GitHub issue**. + +Instead, please: + +1. **Email the maintainer directly** + +2. Provide as much detail as possible: + - Description of the issue + - Steps to reproduce (if available) + - Potential impact or exploit scenario + - Any suggested fix or mitigation -If you discover a security vulnerability, **please do not open an issue** on GitHub. +We aim to acknowledge your report **within 72 hours**, and will work with you to validate, fix, and coordinate disclosure responsibly. -Instead, follow these steps: +--- + +## Responsible Disclosure Guidelines -1. **Email the maintainer directly** -2. Include the following details: - - Description of the vulnerability - - Steps to reproduce (if possible) - - Potential impact - - Any mitigation or workaround suggestions +Please adhere to the following principles: -βŒ› We aim to respond to security reports **within 72 hours**. +- **Do not publicly disclose** the vulnerability before a fix has been released. +- **Avoid disruptive testing** β€” do not run automated scans or denial-of-service attempts against public systems. +- **Act in good faith** to protect end users and data. + +Following these practices helps keep the community safe and ensures your findings are recognized and properly credited. --- -## 🚫 Responsible Disclosure Guidelines +## Disclosure Policy + +We follow a **coordinated disclosure** approach: -We ask that you: -- Do not publicly disclose the issue until it has been resolved. -- Avoid testing vulnerabilities in a way that could disrupt services. -- Act in good faith and with respect for user data and privacy. +- Once a verified fix is released, details of the vulnerability may be publicly disclosed. +- Credit will be given to the reporter (if requested). +- Until that time, all vulnerability details must remain private. --- -## πŸ“ƒ Disclosure Policy +## Security Best Practices -- We follow a **coordinated disclosure** approach. -- We appreciate responsible reporting and will publicly disclose the issue only **after a fix has been released**. +Because SysMood interacts with system-level data (CPU, memory, process states), users and contributors should follow these best practices: ---- +### For Users +- Run SysMood in a **trusted and isolated environment**. +- Avoid executing the binary with **administrator/root privileges** unless strictly necessary. +- **Verify release integrity** β€” check provided SHA-256 checksums or signatures. +- Keep your **compiler and dependencies** (if any) up to date. +- Do not share or include sensitive data (API keys, credentials, etc.) in logs or builds. -## βœ… Security Best Practices +### For Contributors +- Use **safe C++ practices**: bounds checking, smart pointers, input validation. +- Enable **compiler warnings and sanitizers** (`-Wall -Wextra -fsanitize=address,undefined`). +- Avoid unsafe C-style memory operations and unchecked parsing. +- Review commits for potential security regressions (especially if adding file or system access features). +- Use GitHub’s **CodeQL** or **Clang-Tidy** for static analysis when possible. -While using this project, we recommend you: +--- + +## Specific Risk Areas & Mitigations -- Always run software in a secure and isolated environment. -- Keep your dependencies up to date. -- Avoid sharing sensitive API keys or credentials in `.env` or other public files. +| Risk | Description | Mitigation | +|------|--------------|-------------| +| **Privilege escalation** | Running with elevated permissions may expose system data. | Run with least privilege. Document any required permissions. | +| **Memory safety** | Buffer overflows or invalid reads in native code. | Use safe libraries, smart pointers, sanitizers, and code review. | +| **Output injection** | Unsanitized console output or file writes. | Sanitize dynamic strings and avoid interpreting user input as commands. | +| **Sensitive logging** | Logging internal system info or PII. | Avoid unnecessary logging; redact sensitive details. | +| **Binary integrity** | Users running tampered executables. | Publish checksums or signatures for official releases. | --- -## πŸ™ Acknowledgments +## Acknowledgments -We value the contributions from the community and encourage responsible disclosure to help keep `SysMood` safe and secure for all users. +We sincerely thank community members who report vulnerabilities responsibly. +Your help makes SysMood safer for everyone. --- -## πŸ”’ Resources +## Resources - [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories) - [OpenSSF Best Practices](https://bestpractices.dev/) -- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [OWASP Top 10 (for Native Applications)](https://owasp.org/www-project-top-ten/) +- [Microsoft Secure Coding Guidelines for C++](https://learn.microsoft.com/en-us/cpp/security/secure-coding-guidelines) + +---