this repo has no description
Add SECURITY.md
+40
+40
SECURITY.md
+40
SECURITY.md
···
1
+
# Security Policy
2
+
3
+
## Supported Versions
4
+
Only the **latest production release** of Phanpy receives security updates. Always update to the newest production version for the best protection.
5
+
6
+
## Reporting a Vulnerability
7
+
8
+
**Please don’t discuss security issues in public GitHub issues.** Instead:
9
+
10
+
1. **GitHub Private Reporting** (preferred):
11
+
- Click ["Report a vulnerability"](https://github.com/cheeaun/phanpy/security/advisories/new) under the **Security** tab.
12
+
2. **Email**:
13
+
- Reach out to me directly at cheeaun@gmail.com
14
+
15
+
**Include**:
16
+
- Steps to reproduce the issue
17
+
- Which parts of Phanpy are affected
18
+
- How severe you think the impact could be
19
+
20
+
## Disclosure Policy
21
+
22
+
**Heads up:** I’m a solo maintainer working on Phanpy in my free time. While I take security seriously, I can’t promise enterprise-grade response times. Here’s how I’ll handle reports:
23
+
24
+
1. **Confirmation**: I’ll acknowledge reports when possible, but this might take weeks due to limited availability.
25
+
2. **Fixing**: Critical bugs will be prioritized, but fixes may take significant time. If it’s urgent, feel free to follow up.
26
+
3. **Public Disclosure**: Patched vulnerabilities will be disclosed once the fix is confirmed stable and most users have updated.
27
+
28
+
## Security Practices
29
+
30
+
### For Users
31
+
32
+
- Use Phanpy with a Mastodon instance that enforces **HTTPS**.
33
+
- Treat OAuth tokens like passwords – don’t share them!
34
+
35
+
### For Developers
36
+
37
+
- **Dependencies**: GitHub Dependabot alerts are enabled for vulnerability monitoring.
38
+
- **Code**:
39
+
- Basic input sanitization to prevent XSS.
40
+
- *Planned*: Improvements to client-side storage security (contributions welcome!).