# Security Policy

## Supported Versions

STA is currently in early development with no stable release. Security
fixes are applied to the `main` branch only.

| Branch    | Supported |
|-----------|-----------|
| `main`    | ✅        |
| `develop` | ❌        |

## Reporting a Vulnerability

> [!CAUTION]
> **Do not report security vulnerabilities through public Gitea issues,
> pull requests, or discussions.**

Security vulnerabilities must be reported privately by email to
<phundrak>. Include as much of the following as possible to help assess
and address the issue quickly:

- A description of the vulnerability and its potential impact
- The affected component (backend API, Modbus communication,
  authentication layer, etc.)
- Steps to reproduce the issue
- Any proof-of-concept code or screenshots, if applicable
- Your suggested fix, if you have one

You will receive an acknowledgement as soon as possible. Please allow
reasonable time for the issue to be investigated and resolved before any
public disclosure.

## Scope

The following are considered in scope for security reports:

- Unauthorised relay control via the API (bypassing authentication)
- Information disclosure (leaking relay states, labels, or configuration
  to unauthenticated users)
- Injection vulnerabilities in API inputs
- Insecure default configuration that could expose the system on a
  network

The following are out of scope:

- Vulnerabilities in the infrastructure configuration or other
  services STA may depend on (report those to their respective
  projects)
- Issues that require physical access to the hardware host
- Denial-of-service attacks on the local network interface