SECURITY.md

# Security Policy

## Supported Versions

STA is currently in early development with no stable release. Security
fixes are applied to the `main` branch only.

| Branch    | Supported |
|-----------|-----------|
| `main`    | ✅        |
| `develop` | ❌        |

## Reporting a Vulnerability

> [!CAUTION]
> **Do not report security vulnerabilities through public Gitea issues,
> pull requests, or discussions.**

Security vulnerabilities must be reported privately by email to
<phundrak>. Include as much of the following as possible to help assess
and address the issue quickly:

- A description of the vulnerability and its potential impact
- The affected component (backend API, Modbus communication,
  authentication layer, etc.)
- Steps to reproduce the issue
- Any proof-of-concept code or screenshots, if applicable
- Your suggested fix, if you have one

You will receive an acknowledgement as soon as possible. Please allow
reasonable time for the issue to be investigated and resolved before any
public disclosure.

## Scope

The following are considered in scope for security reports:

- Unauthorised relay control via the API (bypassing authentication)
- Information disclosure (leaking relay states, labels, or configuration
  to unauthenticated users)
- Injection vulnerabilities in API inputs
- Insecure default configuration that could expose the system on a
  network

The following are out of scope:

- Vulnerabilities in the infrastructure configuration or other
  services STA may depend on (report those to their respective
  projects)
- Issues that require physical access to the hardware host
- Denial-of-service attacks on the local network interface
docs: add community governance and contribution guidelines - Add CONTRIBUTING.md with TDD requirements, PR workflow, and AI usage policy - Add CODE_OF_CONDUCT.md based on Contributor Covenant - Add SECURITY.md with vulnerability reporting scope and process - Add AGENTS.md with AI usage policy for human contributors and AI agents - Add CLAUDE.md to require reading AGENTS.md before any work - Add Gitea issue templates for bug reports and feature requests - Add pull request template with TDD and code quality checklist 2026-01-23 20:46:48 +01:00			`# Security Policy`

			`## Supported Versions`

			`STA is currently in early development with no stable release. Security`
			fixes are applied to the `main` branch only.

			`\| Branch \| Supported \|`
			`\|-----------\|-----------\|`
			\| `main` \| ✅ \|
			\| `develop` \| ❌ \|

			`## Reporting a Vulnerability`

			`> [!CAUTION]`
			`> **Do not report security vulnerabilities through public Gitea issues,`
			`> pull requests, or discussions.**`

			`Security vulnerabilities must be reported privately by email to`
			`<phundrak>. Include as much of the following as possible to help assess`
			`and address the issue quickly:`

			`- A description of the vulnerability and its potential impact`
			`- The affected component (backend API, Modbus communication,`
			`authentication layer, etc.)`
			`- Steps to reproduce the issue`
			`- Any proof-of-concept code or screenshots, if applicable`
			`- Your suggested fix, if you have one`

			`You will receive an acknowledgement as soon as possible. Please allow`
			`reasonable time for the issue to be investigated and resolved before any`
			`public disclosure.`

			`## Scope`

			`The following are considered in scope for security reports:`

			`- Unauthorised relay control via the API (bypassing authentication)`
			`- Information disclosure (leaking relay states, labels, or configuration`
			`to unauthenticated users)`
			`- Injection vulnerabilities in API inputs`
			`- Insecure default configuration that could expose the system on a`
			`network`

			`The following are out of scope:`

			`- Vulnerabilities in the infrastructure configuration or other`
			`services STA may depend on (report those to their respective`
			`projects)`
			`- Issues that require physical access to the hardware host`
			`- Denial-of-service attacks on the local network interface`