68 lines
2.4 KiB
Markdown
68 lines
2.4 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
This is a personal portfolio project, so there is no formal long-term support schedule. Security
|
|
fixes are applied to the current main branch when issues are confirmed and within the practical
|
|
maintenance capacity of the project.
|
|
|
|
## Reporting A Vulnerability
|
|
|
|
Please do not open a public issue for a security vulnerability.
|
|
|
|
Report security concerns privately to the repository maintainer. Include as much detail as you can:
|
|
|
|
- a description of the vulnerability;
|
|
- steps to reproduce the issue;
|
|
- affected routes, commands, files, or configuration;
|
|
- the potential impact;
|
|
- any suggested fix or mitigation, if you have one.
|
|
|
|
You can expect a best-effort response acknowledging the report, followed by validation and a fix when
|
|
the issue is reproducible and in scope.
|
|
|
|
## Security Scope
|
|
|
|
The most important security areas for this project are:
|
|
|
|
- local authentication and session handling;
|
|
- watchlist and playback progress data;
|
|
- playback proxy tokens and signed stream access;
|
|
- subtitle and playlist proxying;
|
|
- external provider integration boundaries;
|
|
- SQLite database access and migrations;
|
|
- configuration loaded from environment variables or `.env` files.
|
|
|
|
Reports involving these areas are especially useful.
|
|
|
|
## Out Of Scope
|
|
|
|
The following are generally out of scope unless they expose a direct application vulnerability:
|
|
|
|
- issues that require full local machine access;
|
|
- denial-of-service reports against a local development server;
|
|
- vulnerabilities in third-party services outside this repository;
|
|
- missing production hardening for deployments that are not documented or supported by the project;
|
|
- social engineering or physical attacks.
|
|
|
|
## Operational Notes
|
|
|
|
This application is designed to be self-hosted and local-first. If you deploy it beyond a private
|
|
local environment, you are responsible for the surrounding production controls, including TLS, network
|
|
access, backups, secrets management, reverse proxy configuration, logging retention, and dependency
|
|
monitoring.
|
|
|
|
Use a strong `PLAYBACK_PROXY_SECRET` if playback proxy token signing is enabled. Do not commit real
|
|
secrets, provider tokens, session data, or production databases to the repository.
|
|
|
|
## Dependency Security
|
|
|
|
Dependencies are managed through Go modules and Bun. When updating dependencies, run the normal local
|
|
checks before merging:
|
|
|
|
```bash
|
|
just check
|
|
```
|
|
|
|
Security-related dependency updates should be kept small and reviewed separately when possible.
|