docs: add community governance and contribution guidelines
- Add CONTRIBUTING.md with TDD requirements, PR workflow, and AI usage policy - Add CODE_OF_CONDUCT.md based on Contributor Covenant - Add SECURITY.md with vulnerability reporting scope and process - Add AGENTS.md with AI usage policy for human contributors and AI agents - Add CLAUDE.md to require reading AGENTS.md before any work - Add Gitea issue templates for bug reports and feature requests - Add pull request template with TDD and code quality checklist
This commit is contained in:
51
SECURITY.md
Normal file
51
SECURITY.md
Normal file
@@ -0,0 +1,51 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
STA is currently in early development with no stable release. Security
|
||||
fixes are applied to the `main` branch only.
|
||||
|
||||
| Branch | Supported |
|
||||
|-----------|-----------|
|
||||
| `main` | ✅ |
|
||||
| `develop` | ❌ |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
> [!CAUTION]
|
||||
> **Do not report security vulnerabilities through public Gitea issues,
|
||||
> pull requests, or discussions.**
|
||||
|
||||
Security vulnerabilities must be reported privately by email to
|
||||
<phundrak>. Include as much of the following as possible to help assess
|
||||
and address the issue quickly:
|
||||
|
||||
- A description of the vulnerability and its potential impact
|
||||
- The affected component (backend API, Modbus communication,
|
||||
authentication layer, etc.)
|
||||
- Steps to reproduce the issue
|
||||
- Any proof-of-concept code or screenshots, if applicable
|
||||
- Your suggested fix, if you have one
|
||||
|
||||
You will receive an acknowledgement as soon as possible. Please allow
|
||||
reasonable time for the issue to be investigated and resolved before any
|
||||
public disclosure.
|
||||
|
||||
## Scope
|
||||
|
||||
The following are considered in scope for security reports:
|
||||
|
||||
- Unauthorised relay control via the API (bypassing authentication)
|
||||
- Information disclosure (leaking relay states, labels, or configuration
|
||||
to unauthenticated users)
|
||||
- Injection vulnerabilities in API inputs
|
||||
- Insecure default configuration that could expose the system on a
|
||||
network
|
||||
|
||||
The following are out of scope:
|
||||
|
||||
- Vulnerabilities in the infrastructure configuration or other
|
||||
services STA may depend on (report those to their respective
|
||||
projects)
|
||||
- Issues that require physical access to the hardware host
|
||||
- Denial-of-service attacks on the local network interface
|
||||
Reference in New Issue
Block a user