|
| 1 | +# Security Policy for JoobQ |
| 2 | + |
| 3 | +Welcome to the **JoobQ** project! Security is a top priority for us. This document outlines our policy for reporting, handling, and addressing security vulnerabilities within the JoobQ project. |
| 4 | + |
| 5 | +--- |
| 6 | + |
| 7 | +## **Supported Versions** |
| 8 | + |
| 9 | +The following versions of JoobQ are currently supported with security updates: |
| 10 | + |
| 11 | +| Version | Supported | |
| 12 | +|----------------|-------------------| |
| 13 | +| Latest Release | ✅ | |
| 14 | +| Older Releases | ❌ (Contact us for exceptions) | |
| 15 | + |
| 16 | +--- |
| 17 | + |
| 18 | +## **Reporting a Vulnerability** |
| 19 | + |
| 20 | +If you discover a security vulnerability, we encourage you to help us responsibly resolve it. Please follow these steps: |
| 21 | + |
| 22 | +1. **Do not disclose publicly**: Avoid posting details of the vulnerability in public forums, GitHub issues, or any other public channels. |
| 23 | + |
| 24 | +2. **Report privately **: Submit the vulnerability report via email to **[[email protected]](mailto:[email protected])** with the following details: |
| 25 | + - A description of the vulnerability and its impact. |
| 26 | + - Steps to reproduce the issue. |
| 27 | + - Suggested fixes (if applicable). |
| 28 | + - Your contact information for further clarification. |
| 29 | + |
| 30 | +3. **Acknowledgment**: We will acknowledge receipt of your report within 48 hours and provide a timeline for our response. |
| 31 | + |
| 32 | +4. **Coordination**: We may ask for additional details to reproduce or validate the issue. We aim to resolve confirmed vulnerabilities promptly and will coordinate a public disclosure timeline with you. |
| 33 | + |
| 34 | +--- |
| 35 | + |
| 36 | +## **Response Time Goals** |
| 37 | + |
| 38 | +We aim to meet the following response times for security issues: |
| 39 | + |
| 40 | +- **Initial acknowledgment**: Within 48 hours of reporting. |
| 41 | +- **Issue validation**: Within 7 days of acknowledgment. |
| 42 | +- **Fix or mitigation release**: Within 30 days, depending on complexity. |
| 43 | + |
| 44 | +--- |
| 45 | + |
| 46 | +## **Security Updates and Releases** |
| 47 | + |
| 48 | +When a security fix is released, we will: |
| 49 | + |
| 50 | +1. Publish an updated release on GitHub. |
| 51 | +2. Include a detailed changelog entry highlighting the fix. |
| 52 | +3. Optionally coordinate with public vulnerability databases (e.g., CVE). |
| 53 | + |
| 54 | +--- |
| 55 | + |
| 56 | +## **Scope of Security Coverage** |
| 57 | + |
| 58 | +We cover the following areas: |
| 59 | + |
| 60 | +- **Code vulnerabilities**: Including bugs that allow unauthorized access, privilege escalation, or data corruption. |
| 61 | +- **Dependency vulnerabilities**: When found in JoobQ dependencies, we will work to update or patch them. |
| 62 | + |
| 63 | +The following are out of scope: |
| 64 | +- Vulnerabilities in downstream applications using JoobQ. |
| 65 | +- Issues arising from misconfigurations or misuse. |
| 66 | + |
| 67 | +--- |
| 68 | + |
| 69 | +## **Security Best Practices** |
| 70 | + |
| 71 | +To enhance security for users of JoobQ: |
| 72 | +- Keep your dependencies up-to-date. |
| 73 | +- Follow secure deployment and configuration practices. |
| 74 | +- Monitor the [GitHub Advisory Database](https://github.com/advisories) for related issues. |
| 75 | + |
| 76 | +--- |
| 77 | + |
| 78 | +## **Credits and Recognition** |
| 79 | + |
| 80 | +We value contributions from the community and will publicly acknowledge individuals or teams who responsibly report vulnerabilities, unless they prefer to remain anonymous. |
| 81 | + |
| 82 | +Thank you for helping keep JoobQ secure! |
| 83 | + |
| 84 | +--- |
| 85 | + |
| 86 | +For questions or additional support, please contact us at **[[email protected]](mailto:[email protected])**. |
| 87 | + |
| 88 | +--- |
| 89 | + |
| 90 | +*Last Updated: December 13, 2024* |
0 commit comments