Skip to content

Commit 4db4050

Browse files
committed
doc(SECURITY): added
1 parent a4d26bd commit 4db4050

3 files changed

Lines changed: 48 additions & 1 deletion

File tree

.github/workflows/coverage.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ name: Test Coverage
22

33
on:
44
workflow_call:
5+
push:
6+
branches: [main]
57

68
env:
79
CI: true

.github/workflows/publish.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,10 +27,11 @@ jobs:
2727
- uses: actions/setup-node@v6
2828
with:
2929
registry-url: https://registry.npmjs.org/
30+
node-version: 24
3031
- uses: actions/checkout@v6
3132
with:
3233
fetch-depth: 0
33-
- run: npm publish --access public
34+
- run: npm publish --access public --provenance
3435

3536
publish-gpr:
3637
needs: build

SECURITY.md

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
Only the latest published version (per semver) of each NicTool package receives security fixes.
6+
7+
| Package | Supported |
8+
| ------- | --------- |
9+
| Latest release ||
10+
| Older releases ||
11+
12+
## Reporting a Vulnerability
13+
14+
**Please do not open a public GitHub issue for security vulnerabilities.**
15+
16+
Report vulnerabilities privately via GitHub's built-in security advisory mechanism:
17+
18+
👉 https://github.com/nictool/.github/security/advisories/new
19+
20+
You can also report against a specific repository:
21+
22+
- **DNS libraries**:
23+
- https://github.com/nictool/dns-resource-record/security/advisories/new
24+
- https://github.com/nictool/dns-nameserver/security/advisories/new
25+
- https://github.com/nictool/dns-zone/security/advisories/new
26+
- https://github.com/nictool/server/security/advisories/new
27+
- https://github.com/nictool/validate/security/advisories/new
28+
- **Legacy 2.x**: https://github.com/nictool/nictool/security/advisories/new
29+
30+
### What to Include
31+
32+
- A clear description of the vulnerability and its potential impact
33+
- Steps to reproduce or a proof-of-concept
34+
- Affected package(s) and version(s)
35+
- Any suggested mitigations, if known
36+
37+
### Response Timeline
38+
39+
1. **Acknowledgement** — We aim to acknowledge reports within **4 days**.
40+
2. **Assessment** — We will confirm the issue, determine severity, and identify affected versions.
41+
3. **Fix & Release** — A patch release will be prepared and coordinated with the reporter.
42+
4. **Disclosure** — A GitHub Security Advisory (and CVE if applicable) will be published after the fix is available.
43+
44+
We follow [coordinated vulnerability disclosure](https://vuls.cert.org/confluence/display/CVD). Reporters are credited in the advisory unless they prefer otherwise.

0 commit comments

Comments
 (0)