Skip to content

Commit b8b1c21

Browse files
committed
Add security policy
1 parent 0961242 commit b8b1c21

1 file changed

Lines changed: 75 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
# Security Policy
2+
3+
## Reporting a Vulnerability
4+
5+
The security of [SQLite3MultipleCiphers](https://utelle.github.io/SQLite3MultipleCiphers/) is taken seriously.
6+
7+
If you believe you have discovered a security vulnerability in this project, please report it using [GitHub's private vulnerability reporting](https://github.com/utelle/SQLite3MultipleCiphers/security/advisories/new) feature. Please **do not create a public issue** for _security-related reports_.
8+
9+
### What to Include
10+
11+
To help with triage and analysis, please include as much information as possible:
12+
13+
- A clear description of the issue
14+
- Steps to reproduce the problem
15+
- Affected versions
16+
- Potential security impact
17+
- Any proof-of-concept code, test case, or example database (if applicable)
18+
19+
### Response Policy
20+
21+
Reports are reviewed on a best-effort basis.
22+
23+
While reasonable effort will be made to assess and address valid security issues in a timely manner, no specific response time or remediation schedule can be guaranteed.
24+
25+
## Scope
26+
27+
[SQLite3MultipleCiphers}(https://utelle.github.io/SQLite3MultipleCiphers/) extends [SQLite](https://sqlite.org) with database encryption capabilities.
28+
29+
Security reports should focus on vulnerabilities introduced by this project, particularly in relation to its cryptographic functionality.
30+
31+
### In Scope
32+
33+
The following types of issues are generally considered in scope:
34+
35+
- Weaknesses or flaws in encryption implementations
36+
- Cryptographic design or implementation issues
37+
- Key derivation or key management problems
38+
- Authentication or integrity protection failures
39+
- Sensitive information leakage caused by this project
40+
- Vulnerabilities introduced by modifications or extensions to SQLite
41+
42+
### Out of Scope
43+
44+
The following types of issues are generally considered out of scope:
45+
46+
- Vulnerabilities in upstream SQLite that are not introduced or modified by this project
47+
- Issues that require an attacker to execute arbitrary SQL statements within a target application
48+
- Application-level misuse, insecure configuration, or incorrect integration of SQLite3MultipleCiphers
49+
- General SQLite behavior unrelated to the encryption features provided by this project
50+
51+
## Upstream SQLite Vulnerabilities
52+
53+
[SQLite3MultipleCiphers](https://utelle.github.io/SQLite3MultipleCiphers/) is built on top of [SQLite](https://sqlite.org).
54+
55+
Security issues originating from SQLite itself should generally be reported to the SQLite project unless there is clear evidence that SQLite3MultipleCiphers introduces, modifies, or significantly amplifies the vulnerability.
56+
57+
For background on _SQLite CVEs_ and their applicability, see: [https://sqlite.org/cves.html](https://sqlite.org/cves.html).
58+
59+
Reports should clearly explain how a given [SQLite](https://sqlite.org) issue affects [SQLite3MultipleCiphers](https://utelle.github.io/SQLite3MultipleCiphers/), particularly with respect to its _encryption-related_ functionality.
60+
61+
Reports that merely reference a published [SQLite CVE](https://sqlite.org/cves.html) without demonstrating relevance to this project are generally considered out of scope.
62+
63+
## Supported Versions
64+
65+
Security fixes are generally applied only to the most recent release and the current development branch.
66+
67+
Older versions may not receive security updates.
68+
69+
## Coordinated Disclosure
70+
71+
Please do not publicly disclose security vulnerabilities before they have been reviewed and addressed.
72+
73+
Responsible disclosure helps protect users and ensures that fixes can be prepared before details are made public.
74+
75+
Thank you for helping improve the security of [SQLite3MultipleCiphers](https://utelle.github.io/SQLite3MultipleCiphers/).

0 commit comments

Comments
 (0)