|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Purpose |
| 4 | + |
| 5 | +This document defines how security issues affecting `heiFIP` must be |
| 6 | +reported, handled, remediated, and disclosed. The goal is to ensure that |
| 7 | +security-relevant findings are managed confidentially, triaged consistently, |
| 8 | +and resolved within appropriate operational timelines. |
| 9 | + |
| 10 | +## Supported Versions |
| 11 | + |
| 12 | +Security fixes are provided for supported releases only, beginning with the first production release v1.0.0 |
| 13 | + |
| 14 | +| Version | Supported | |
| 15 | +| ------- | --------- | |
| 16 | +| `main` / latest release | Yes | |
| 17 | +| Previous minor release | Yes | |
| 18 | +| Older releases | No | |
| 19 | + |
| 20 | +## Confidential Reporting |
| 21 | + |
| 22 | +Security issues must be reported through confidential channels only. Public |
| 23 | +GitHub issues, public pull requests, or other public forums must not be used |
| 24 | +for reporting vulnerabilities. |
| 25 | + |
| 26 | +Approved reporting channels: |
| 27 | + |
| 28 | +- GitHub Private Vulnerability Reporting / Security Advisories |
| 29 | +- Email: `stefan.machmeier@uni-heidelberg.de` |
| 30 | + |
| 31 | +Reports should include, where available: |
| 32 | + |
| 33 | +- A concise description of the issue |
| 34 | +- Affected component, endpoint, container, or workflow |
| 35 | +- Reproduction steps or validation details |
| 36 | +- Expected impact and potential exploitation scenario |
| 37 | +- Affected version, branch, commit, or image tag |
| 38 | +- Relevant logs, screenshots, request samples, or proof-of-concept material |
| 39 | +- Whether the issue appears actively exploited or time-sensitive |
| 40 | + |
| 41 | +## Confidentiality Requirements |
| 42 | + |
| 43 | +All reported security issues are handled as confidential until review is |
| 44 | +complete and a coordinated disclosure decision has been made. |
| 45 | + |
| 46 | +During this period: |
| 47 | + |
| 48 | +- Issue details must not be disclosed publicly |
| 49 | +- Sensitive technical details must be shared only on a need-to-know basis |
| 50 | +- Access to internal discussion, remediation branches, and advisory drafts |
| 51 | + should be restricted |
| 52 | +- If there is evidence of active exploitation, internal escalation should occur |
| 53 | + immediately |
| 54 | + |
| 55 | +## Intake and Triage |
| 56 | + |
| 57 | +Each report is reviewed to determine: |
| 58 | + |
| 59 | +- Whether the issue is reproducible |
| 60 | +- Whether it affects a supported version |
| 61 | +- Whether there is a meaningful confidentiality, integrity, or availability impact |
| 62 | +- Whether exploitation requires special conditions or privileged access |
| 63 | +- Whether the issue represents active exploitation, a misconfiguration, or a |
| 64 | + theoretical weakness without practical impact |
| 65 | + |
| 66 | +Severity should be classified as `Critical / High / Medium / Low`. |
| 67 | + |
| 68 | +## Response Targets |
| 69 | + |
| 70 | +The following target times apply to supported versions and valid security |
| 71 | +reports. These targets are operational goals, not contractual guarantees. |
| 72 | + |
| 73 | +| Stage | Target | |
| 74 | +| ----- | ------ | |
| 75 | +| Initial acknowledgement | Within 2 business days | |
| 76 | +| Initial triage decision | Within 5 business days | |
| 77 | +| First remediation update | Within 7 calendar days | |
| 78 | +| Ongoing status updates | At least every 7 calendar days | |
| 79 | +| Critical issue remediation plan | Within 7 calendar days | |
| 80 | +| High severity remediation plan | Within 14 calendar days | |
| 81 | +| Medium severity remediation plan | Within 30 calendar days | |
| 82 | +| Low severity remediation plan | Best effort | |
| 83 | + |
| 84 | +If a report indicates active exploitation, credential exposure, remote code |
| 85 | +execution, or broad unauthorized access, the issue should be escalated as an |
| 86 | +incident and handled with priority outside normal backlog processes. |
| 87 | + |
| 88 | +## Remediation Process |
| 89 | + |
| 90 | +When a security issue is confirmed, maintainers should: |
| 91 | + |
| 92 | +- Reproduce and validate the issue |
| 93 | +- Define affected versions and deployment scenarios |
| 94 | +- Prepare a remediation plan proportional to the severity |
| 95 | +- Implement and review the fix |
| 96 | +- Backport the fix to supported versions where feasible |
| 97 | +- Validate the fix before release |
| 98 | +- Prepare customer-facing or operator-facing guidance if configuration or |
| 99 | + operational action is required |
| 100 | + |
| 101 | +Where immediate remediation is not possible, temporary mitigations should be |
| 102 | +documented and communicated clearly. |
| 103 | + |
| 104 | +## Disclosure and Publication |
| 105 | + |
| 106 | +Confirmed vulnerabilities are disclosed in a coordinated manner after one of |
| 107 | +the following conditions is met: |
| 108 | + |
| 109 | +- A fix has been released |
| 110 | +- A mitigation has been published and the residual risk is understood |
| 111 | +- A disclosure deadline has been reached and leadership approves publication |
| 112 | + |
| 113 | +The default disclosure target is `90 days`, but the actual window may be |
| 114 | +shortened or extended based on: |
| 115 | + |
| 116 | +- Evidence of exploitation |
| 117 | +- Fix availability and deployment risk |
| 118 | +- Customer exposure |
| 119 | +- Dependency or vendor coordination needs |
| 120 | + |
| 121 | +Public disclosures may include: |
| 122 | + |
| 123 | +- A security advisory |
| 124 | +- Release notes |
| 125 | +- Upgrade or mitigation instructions |
| 126 | +- Severity and affected-version information |
| 127 | + |
| 128 | +## Operational Communication |
| 129 | + |
| 130 | +Where a confirmed issue affects deployed environments, communication should be |
| 131 | +proportionate to impact. This may include: |
| 132 | + |
| 133 | +- Internal security or operations escalation |
| 134 | +- Notification to administrators, customers, or service owners |
| 135 | +- Temporary mitigation guidance |
| 136 | +- Required upgrade or rotation steps |
| 137 | +- Post-remediation confirmation and closure |
| 138 | + |
| 139 | +Security communications should avoid unnecessary disclosure of exploit details |
| 140 | +before mitigations are available. |
| 141 | + |
| 142 | +## Scope |
| 143 | + |
| 144 | +The following areas are considered in scope for security handling: |
| 145 | + |
| 146 | +- Authentication and authorization controls |
| 147 | +- Password handling and account lifecycle |
| 148 | +- File upload, parsing, and processing pipelines |
| 149 | +- Secrets handling and environment configuration |
| 150 | +- Data access controls and audit logging |
| 151 | +- Container, service, and network configuration |
| 152 | +- Dependency vulnerabilities with validated product impact |
| 153 | +- Sensitive data exposure, privilege escalation, SSRF, RCE, injection, and |
| 154 | + broken access control |
| 155 | + |
| 156 | +## Out of Scope |
| 157 | + |
| 158 | +The following are generally not treated as security vulnerabilities unless |
| 159 | +clear and demonstrated security impact exists: |
| 160 | + |
| 161 | +- Cosmetic misconfigurations without exploitability |
| 162 | +- Missing hardening headers without a practical attack path |
| 163 | +- Issues affecting unsupported or end-of-life releases only |
| 164 | +- Hypothetical findings without reproducible impact |
| 165 | +- Third-party platform issues outside the control of this project |
| 166 | +- Reports based only on scanner output without technical validation |
| 167 | + |
| 168 | +## Safe Handling Expectations |
| 169 | + |
| 170 | +Anyone validating a suspected issue is expected to act in a controlled and |
| 171 | +minimal manner. |
| 172 | + |
| 173 | +Expected behavior: |
| 174 | + |
| 175 | +- Limit activity to what is necessary to confirm the issue |
| 176 | +- Avoid unauthorized access to non-public or third-party data |
| 177 | +- Avoid disruption of production systems |
| 178 | +- Avoid persistence, data modification, or data destruction |
| 179 | +- Stop testing and report promptly once the issue is confirmed |
| 180 | + |
| 181 | +This policy does not authorize: |
| 182 | + |
| 183 | +- Access to data belonging to other users or organizations |
| 184 | +- Service disruption or denial-of-service activity |
| 185 | +- Data exfiltration or retention of sensitive information |
| 186 | +- Any activity that violates applicable law or contractual obligations |
| 187 | + |
| 188 | +## Security Updates |
| 189 | + |
| 190 | +Security fixes may be distributed through one or more of the following: |
| 191 | + |
| 192 | +- Normal release process |
| 193 | +- Out-of-band patch release |
| 194 | +- Security advisory |
| 195 | +- Operational mitigation notice |
| 196 | + |
| 197 | +Where appropriate, the published update should include: |
| 198 | + |
| 199 | +- Affected versions |
| 200 | +- Fixed versions |
| 201 | +- Severity |
| 202 | +- Upgrade path |
| 203 | +- Required operational actions |
| 204 | + |
| 205 | +## Escalation |
| 206 | + |
| 207 | +If no acknowledgement is received within the response target above, the report |
| 208 | +should be resent to: |
| 209 | + |
| 210 | +- `stefan.machmeier@uni-heidelberg.de` |
| 211 | + |
| 212 | +Urgent reports involving active exploitation or high-confidence compromise |
| 213 | +should use the subject line: |
| 214 | + |
| 215 | +`[URGENT SECURITY REPORT]` |
| 216 | + |
| 217 | +## Policy Maintenance |
| 218 | + |
| 219 | +This policy should be reviewed whenever: |
| 220 | + |
| 221 | +- Reporting channels change |
| 222 | +- Supported versions change |
| 223 | +- Incident response expectations change |
| 224 | +- Disclosure commitments change |
| 225 | + |
| 226 | +Last reviewed: `26-03-2026` |
0 commit comments