|
1 | 1 | # Security Policy |
2 | 2 |
|
3 | | -If you find a security vulnerability in any Commit Check project, please report it privately. |
| 3 | +The **Commit Check** project takes the security of its software seriously. This document outlines our vulnerability disclosure process and supported versions. |
| 4 | + |
| 5 | +## Supported Versions |
| 6 | + |
| 7 | +Only the **latest** release of each project (`commit-check`, `commit-check-action`, `commit-check-mcp`) receives security patches. |
| 8 | + |
| 9 | +| Project | Supported | |
| 10 | +|---------|-----------| |
| 11 | +| commit-check (PyPI) | ✅ Latest release only | |
| 12 | +| commit-check-action | ✅ Latest release only | |
| 13 | +| commit-check-mcp | ✅ Latest release only | |
| 14 | +| Older versions | ❌ Not supported | |
| 15 | + |
| 16 | +Please keep your dependencies up to date. |
4 | 17 |
|
5 | 18 | ## Reporting a Vulnerability |
6 | 19 |
|
7 | | -**Do not open a public GitHub issue.** Instead, send an email to: |
| 20 | +**Do not open a public GitHub issue.** If you discover a security vulnerability in any Commit Check project, please report it privately. |
| 21 | + |
| 22 | +### Preferred: GitHub Security Advisories |
| 23 | + |
| 24 | +Use the **"Report a vulnerability"** feature on the relevant repository: |
| 25 | + |
| 26 | +- https://github.com/commit-check/commit-check/security/advisories/new |
| 27 | +- https://github.com/commit-check/commit-check-action/security/advisories/new |
| 28 | +- https://github.com/commit-check/commit-check-mcp/security/advisories/new |
| 29 | + |
| 30 | +This allows us to triage and patch the issue privately before public disclosure. |
| 31 | + |
| 32 | +### Alternative: Email |
| 33 | + |
| 34 | +If you cannot use the GitHub Security Advisories feature, send an email to: |
8 | 35 |
|
9 | 36 | **[xianpeng.shen@gmail.com](mailto:xianpeng.shen@gmail.com)** |
10 | 37 |
|
11 | | -Please include: |
| 38 | +### What to Include |
12 | 39 |
|
13 | | -- Which project and version is affected |
14 | | -- A description of the issue and its impact |
15 | | -- Steps to reproduce (or a proof of concept) |
| 40 | +Please provide as much of the following information as possible: |
16 | 41 |
|
17 | | -You will receive an acknowledgment within 48 hours, followed by a plan for resolution. |
| 42 | +- **Project and version** affected (e.g., commit-check v2.15.0) |
| 43 | +- **Type of vulnerability** (e.g., arbitrary code execution, denial of service, information disclosure) |
| 44 | +- **Description** of the issue and its potential impact |
| 45 | +- **Steps to reproduce** or a proof of concept (PoC) |
| 46 | +- **Affected components** (e.g., CLI, GitHub Action, MCP Server) |
| 47 | +- **Any suggested mitigation** (if known) |
18 | 48 |
|
19 | | -## Supported Versions |
| 49 | +### What to Expect |
| 50 | + |
| 51 | +| Step | Timeframe | |
| 52 | +|------|-----------| |
| 53 | +| Acknowledgment | Within 48 hours | |
| 54 | +| Initial assessment & triage | Within 5 business days | |
| 55 | +| Fix development | Within 14 days (critical issues) | |
| 56 | +| Coordinated disclosure | After a patch is released | |
| 57 | + |
| 58 | +We will keep you informed of progress throughout the process. |
| 59 | + |
| 60 | +## Coordinated Disclosure |
| 61 | + |
| 62 | +We believe in responsible disclosure. We will: |
| 63 | + |
| 64 | +1. Work with the reporter to understand and validate the issue |
| 65 | +2. Develop and test a fix in a private fork |
| 66 | +3. Release a patched version |
| 67 | +4. Credit the reporter in the release notes (if they wish) |
| 68 | + |
| 69 | +We ask reporters to give us a reasonable timeframe to address the issue before public disclosure. |
| 70 | + |
| 71 | +## PGP Key |
| 72 | + |
| 73 | +If you need to communicate sensitive information via encrypted email, you can use the following PGP key: |
| 74 | + |
| 75 | +> **Note:** A PGP key will be published here once generated. In the meantime, please use GitHub Security Advisories or the contact email above. |
| 76 | +
|
| 77 | +## Security best practices for users |
| 78 | + |
| 79 | +- Always use the **latest version** of Commit Check tools |
| 80 | +- Verify artifact attestations when using GitHub Action (we provide SLSA attestation for releases) |
| 81 | +- Review commit signatures in sensitive environments |
| 82 | +- Use branch protection rules alongside Commit Check |
| 83 | + |
| 84 | +## Acknowledgments |
20 | 85 |
|
21 | | -Only the latest release of each project receives security patches. Please keep your dependencies up to date. |
| 86 | +We thank the security researchers and community members who responsibly disclose vulnerabilities to us. |
0 commit comments