|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## 🔐 Supported Versions |
| 4 | + |
| 5 | +The following versions of CommDesk are currently supported with security updates: |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | --------- | |
| 9 | +| 0.1.x | ✅ Yes | |
| 10 | +| < 0.1 | ❌ No | |
| 11 | + |
| 12 | +We recommend always using the latest release for security fixes and improvements. |
| 13 | + |
| 14 | +--- |
| 15 | + |
| 16 | +## 🚨 Reporting a Vulnerability |
| 17 | + |
| 18 | +If you discover a security vulnerability, please report it responsibly. |
| 19 | + |
| 20 | +### 📩 How to Report |
| 21 | +- Email: **security@nexgenstudio.dev** |
| 22 | +- Or open a **private security advisory** via GitHub: |
| 23 | + - Go to the repository |
| 24 | + - Click **Security → Advisories → Report a vulnerability** |
| 25 | + |
| 26 | +### ❗ Please DO NOT: |
| 27 | +- Open public issues for security vulnerabilities |
| 28 | +- Share exploits publicly before disclosure |
| 29 | + |
| 30 | +--- |
| 31 | + |
| 32 | +## 🛡️ What to Include in a Report |
| 33 | + |
| 34 | +To help us respond quickly, include: |
| 35 | + |
| 36 | +- Description of the vulnerability |
| 37 | +- Steps to reproduce |
| 38 | +- Potential impact |
| 39 | +- Screenshots or proof-of-concept (if applicable) |
| 40 | +- Suggested fix (optional but appreciated) |
| 41 | + |
| 42 | +--- |
| 43 | + |
| 44 | +## ⏱️ Response Timeline |
| 45 | + |
| 46 | +| Stage | Timeline | |
| 47 | +|-----------------------|---------------| |
| 48 | +| Acknowledgement | Within 48 hours | |
| 49 | +| Initial assessment | Within 3–5 days | |
| 50 | +| Fix & patch release | Depends on severity | |
| 51 | + |
| 52 | +We aim to resolve critical issues as quickly as possible. |
| 53 | + |
| 54 | +--- |
| 55 | + |
| 56 | +## 🔒 Security Practices |
| 57 | + |
| 58 | +CommDesk follows these security practices: |
| 59 | + |
| 60 | +- Role-based access control (RBAC) |
| 61 | +- Strict frontend-backend boundary enforcement |
| 62 | +- Input validation and sanitization |
| 63 | +- Dependency auditing (via `pnpm audit`) |
| 64 | +- Signed desktop updates using Tauri updater |
| 65 | +- Secure key handling (`~/.tauri/commdesk.key`) |
| 66 | + |
| 67 | +--- |
| 68 | + |
| 69 | +## 📦 Desktop App Security |
| 70 | + |
| 71 | +- All production releases should be **signed** |
| 72 | +- Auto-updates must use **verified signatures** |
| 73 | +- Do not distribute unsigned binaries in production |
| 74 | + |
| 75 | +--- |
| 76 | + |
| 77 | +## 🧪 Responsible Disclosure |
| 78 | + |
| 79 | +We appreciate responsible disclosure and will: |
| 80 | + |
| 81 | +- Credit researchers (if desired) |
| 82 | +- Work collaboratively on fixes |
| 83 | +- Keep communication transparent |
| 84 | + |
| 85 | +--- |
| 86 | + |
| 87 | +## ⚠️ Disclaimer |
| 88 | + |
| 89 | +This project is under active development. While we strive for strong security practices, users should: |
| 90 | + |
| 91 | +- Avoid using in high-risk production environments without audit |
| 92 | +- Regularly update to latest versions |
| 93 | + |
| 94 | +--- |
| 95 | + |
| 96 | +## ❤️ Acknowledgements |
| 97 | + |
| 98 | +We thank the open-source community and contributors for helping improve the security of CommDesk. |
| 99 | + |
| 100 | +--- |
0 commit comments