docs: add SECURITY.md
This commit is contained in:
67
SECURITY.md
Normal file
67
SECURITY.md
Normal file
@@ -0,0 +1,67 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
This is a personal portfolio project, so there is no formal long-term support schedule. Security
|
||||
fixes are applied to the current main branch when issues are confirmed and within the practical
|
||||
maintenance capacity of the project.
|
||||
|
||||
## Reporting A Vulnerability
|
||||
|
||||
Please do not open a public issue for a security vulnerability.
|
||||
|
||||
Report security concerns privately to the repository maintainer. Include as much detail as you can:
|
||||
|
||||
- a description of the vulnerability;
|
||||
- steps to reproduce the issue;
|
||||
- affected routes, commands, files, or configuration;
|
||||
- the potential impact;
|
||||
- any suggested fix or mitigation, if you have one.
|
||||
|
||||
You can expect a best-effort response acknowledging the report, followed by validation and a fix when
|
||||
the issue is reproducible and in scope.
|
||||
|
||||
## Security Scope
|
||||
|
||||
The most important security areas for this project are:
|
||||
|
||||
- local authentication and session handling;
|
||||
- watchlist and playback progress data;
|
||||
- playback proxy tokens and signed stream access;
|
||||
- subtitle and playlist proxying;
|
||||
- external provider integration boundaries;
|
||||
- SQLite database access and migrations;
|
||||
- configuration loaded from environment variables or `.env` files.
|
||||
|
||||
Reports involving these areas are especially useful.
|
||||
|
||||
## Out Of Scope
|
||||
|
||||
The following are generally out of scope unless they expose a direct application vulnerability:
|
||||
|
||||
- issues that require full local machine access;
|
||||
- denial-of-service reports against a local development server;
|
||||
- vulnerabilities in third-party services outside this repository;
|
||||
- missing production hardening for deployments that are not documented or supported by the project;
|
||||
- social engineering or physical attacks.
|
||||
|
||||
## Operational Notes
|
||||
|
||||
This application is designed to be self-hosted and local-first. If you deploy it beyond a private
|
||||
local environment, you are responsible for the surrounding production controls, including TLS, network
|
||||
access, backups, secrets management, reverse proxy configuration, logging retention, and dependency
|
||||
monitoring.
|
||||
|
||||
Use a strong `PLAYBACK_PROXY_SECRET` if playback proxy token signing is enabled. Do not commit real
|
||||
secrets, provider tokens, session data, or production databases to the repository.
|
||||
|
||||
## Dependency Security
|
||||
|
||||
Dependencies are managed through Go modules and Bun. When updating dependencies, run the normal local
|
||||
checks before merging:
|
||||
|
||||
```bash
|
||||
just check
|
||||
```
|
||||
|
||||
Security-related dependency updates should be kept small and reviewed separately when possible.
|
||||
Reference in New Issue
Block a user