docs: add security policy
This commit is contained in:
Kevin Codex
70
SECURITY.md
70
SECURITY.md
@@ -2,20 +2,68 @@
|
||||
|
||||
## Supported Versions
|
||||
|
||||
Use this section to tell people about which versions of your project are
|
||||
currently being supported with security updates.
|
||||
Open Claude is currently maintained on the latest `main` branch and the latest
|
||||
npm release only.
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 5.1.x | :white_check_mark: |
|
||||
| 5.0.x | :x: |
|
||||
| 4.0.x | :white_check_mark: |
|
||||
| < 4.0 | :x: |
|
||||
| ------- | --------- |
|
||||
| Latest release | :white_check_mark: |
|
||||
| Older releases | :x: |
|
||||
| Unreleased forks / modified builds | :x: |
|
||||
|
||||
Security fixes are generally released in the next patch version and may also be
|
||||
landed directly on `main` before a package release is published.
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Use this section to tell people how to report a vulnerability.
|
||||
If you believe you have found a security vulnerability in Open Claude, please
|
||||
report it privately.
|
||||
|
||||
Tell them where to go, how often they can expect to get an update on a
|
||||
reported vulnerability, what to expect if the vulnerability is accepted or
|
||||
declined, etc.
|
||||
Preferred reporting channel:
|
||||
|
||||
- GitHub Security Advisories / private vulnerability reporting for this
|
||||
repository
|
||||
|
||||
Please include:
|
||||
|
||||
- a clear description of the issue
|
||||
- affected version, commit, or environment
|
||||
- reproduction steps or a proof of concept
|
||||
- impact assessment
|
||||
- any suggested remediation, if available
|
||||
|
||||
Please do **not** open a public issue for an unpatched vulnerability.
|
||||
|
||||
## Response Process
|
||||
|
||||
Our general goals are:
|
||||
|
||||
- initial triage acknowledgment within 7 days
|
||||
- follow-up after validation when we can reproduce the issue
|
||||
- coordinated disclosure after a fix is available
|
||||
|
||||
Severity, exploitability, and maintenance bandwidth may affect timelines.
|
||||
|
||||
## Disclosure and CVEs
|
||||
|
||||
Valid reports may be fixed privately first and disclosed after a patch is
|
||||
available.
|
||||
|
||||
If a report is accepted and the issue is significant enough to warrant formal
|
||||
tracking, we may publish a GitHub Security Advisory and request or assign a CVE
|
||||
through the appropriate channel. CVE issuance is not guaranteed for every
|
||||
report.
|
||||
|
||||
## Scope
|
||||
|
||||
This policy applies to:
|
||||
|
||||
- the Open Claude source code in this repository
|
||||
- official release artifacts published from this repository
|
||||
- the `@gitlawb/openclaude` npm package
|
||||
|
||||
This policy does not cover:
|
||||
|
||||
- third-party model providers, endpoints, or hosted services
|
||||
- local misconfiguration on the reporter's machine
|
||||
- vulnerabilities in unofficial forks, mirrors, or downstream repackages
|
||||
|
||||
Reference in New Issue
Block a user