docs: add security policy
This commit is contained in:
Kevin Codex
72
SECURITY.md
72
SECURITY.md
@@ -2,20 +2,68 @@
|
|||||||
|
|
||||||
## Supported Versions
|
## Supported Versions
|
||||||
|
|
||||||
Use this section to tell people about which versions of your project are
|
Open Claude is currently maintained on the latest `main` branch and the latest
|
||||||
currently being supported with security updates.
|
npm release only.
|
||||||
|
|
||||||
| Version | Supported |
|
| Version | Supported |
|
||||||
| ------- | ------------------ |
|
| ------- | --------- |
|
||||||
| 5.1.x | :white_check_mark: |
|
| Latest release | :white_check_mark: |
|
||||||
| 5.0.x | :x: |
|
| Older releases | :x: |
|
||||||
| 4.0.x | :white_check_mark: |
|
| Unreleased forks / modified builds | :x: |
|
||||||
| < 4.0 | :x: |
|
|
||||||
|
Security fixes are generally released in the next patch version and may also be
|
||||||
|
landed directly on `main` before a package release is published.
|
||||||
|
|
||||||
## Reporting a Vulnerability
|
## Reporting a Vulnerability
|
||||||
|
|
||||||
Use this section to tell people how to report a vulnerability.
|
If you believe you have found a security vulnerability in Open Claude, please
|
||||||
|
report it privately.
|
||||||
|
|
||||||
Tell them where to go, how often they can expect to get an update on a
|
Preferred reporting channel:
|
||||||
reported vulnerability, what to expect if the vulnerability is accepted or
|
|
||||||
declined, etc.
|
- GitHub Security Advisories / private vulnerability reporting for this
|
||||||
|
repository
|
||||||
|
|
||||||
|
Please include:
|
||||||
|
|
||||||
|
- a clear description of the issue
|
||||||
|
- affected version, commit, or environment
|
||||||
|
- reproduction steps or a proof of concept
|
||||||
|
- impact assessment
|
||||||
|
- any suggested remediation, if available
|
||||||
|
|
||||||
|
Please do **not** open a public issue for an unpatched vulnerability.
|
||||||
|
|
||||||
|
## Response Process
|
||||||
|
|
||||||
|
Our general goals are:
|
||||||
|
|
||||||
|
- initial triage acknowledgment within 7 days
|
||||||
|
- follow-up after validation when we can reproduce the issue
|
||||||
|
- coordinated disclosure after a fix is available
|
||||||
|
|
||||||
|
Severity, exploitability, and maintenance bandwidth may affect timelines.
|
||||||
|
|
||||||
|
## Disclosure and CVEs
|
||||||
|
|
||||||
|
Valid reports may be fixed privately first and disclosed after a patch is
|
||||||
|
available.
|
||||||
|
|
||||||
|
If a report is accepted and the issue is significant enough to warrant formal
|
||||||
|
tracking, we may publish a GitHub Security Advisory and request or assign a CVE
|
||||||
|
through the appropriate channel. CVE issuance is not guaranteed for every
|
||||||
|
report.
|
||||||
|
|
||||||
|
## Scope
|
||||||
|
|
||||||
|
This policy applies to:
|
||||||
|
|
||||||
|
- the Open Claude source code in this repository
|
||||||
|
- official release artifacts published from this repository
|
||||||
|
- the `@gitlawb/openclaude` npm package
|
||||||
|
|
||||||
|
This policy does not cover:
|
||||||
|
|
||||||
|
- third-party model providers, endpoints, or hosted services
|
||||||
|
- local misconfiguration on the reporter's machine
|
||||||
|
- vulnerabilities in unofficial forks, mirrors, or downstream repackages
|
||||||
|
|||||||
Reference in New Issue
Block a user