diff --git a/SECURITY.md b/SECURITY.md index e25491bbd..248ce190f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,11 +1,19 @@ # Security Policy -## Reporting a Vulnerability +We take the security of Yopass seriously. If you believe you have discovered a security vulnerability in Yopass, we encourage you to report it to us responsibly. -If you find a vulnerability in this project, please report via email at johan{a}haals.se and do not create a public issue to prevent abuse. +## Security Vulnerability Disclosure -There are a couple of things that I do not consider to be security issues: +Please follow these guidelines when reporting a security issue: -- Enumeration/Gusessing of UUIDs or decryption keys +1. Email the report to johan{a}haals.se. Please do not create a public GitHub issue. +2. Provide a detailed description of the vulnerability, including steps to reproduce the issue, potential impact, and any suggested mitigations or remediations. +3. Allow a reasonable time for the Yopass maintainers to respond to your report and address the vulnerability before publicly disclosing it. We will keep you updated on our progress. + +We appreciate your efforts in keeping yopass secure for everyone and will acknowledge your contribution in the project's security advisories or changelog once the issue has been resolved. + +There are a couple of cases that we do not consider to be security issues: + +- Enumeration/Guessing of UUIDs or decryption keys - URLs being stored in browser history/cache - Vulnerabilities in build time dependencies not exploitable at runtime \ No newline at end of file