phundrak/sta
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
develop
sta/SECURITY.md
Lucien Cartier-Tilet a965848076 docs: add community governance and contribution guidelines 
- Add CONTRIBUTING.md with TDD requirements, PR workflow, and AI usage
  policy
- Add CODE_OF_CONDUCT.md based on Contributor Covenant
- Add SECURITY.md with vulnerability reporting scope and process
- Add AGENTS.md with AI usage policy for human contributors and AI
  agents
- Add CLAUDE.md to require reading AGENTS.md before any work
- Add Gitea issue templates for bug reports and feature requests
- Add pull request template with TDD and code quality checklist
2026-02-14 00:01:37 +01:00

1.6 KiB
Raw Permalink Blame History

Security Policy

Supported Versions

STA is currently in early development with no stable release. Security fixes are applied to the main branch only.

Branch Supported
main
develop

Reporting a Vulnerability

Caution

Do not report security vulnerabilities through public Gitea issues, pull requests, or discussions.

Security vulnerabilities must be reported privately by email to . Include as much of the following as possible to help assess and address the issue quickly:

  • A description of the vulnerability and its potential impact
  • The affected component (backend API, Modbus communication, authentication layer, etc.)
  • Steps to reproduce the issue
  • Any proof-of-concept code or screenshots, if applicable
  • Your suggested fix, if you have one

You will receive an acknowledgement as soon as possible. Please allow reasonable time for the issue to be investigated and resolved before any public disclosure.

Scope

The following are considered in scope for security reports:

  • Unauthorised relay control via the API (bypassing authentication)
  • Information disclosure (leaking relay states, labels, or configuration to unauthenticated users)
  • Injection vulnerabilities in API inputs
  • Insecure default configuration that could expose the system on a network

The following are out of scope:

  • Vulnerabilities in the infrastructure configuration or other services STA may depend on (report those to their respective projects)
  • Issues that require physical access to the hardware host
  • Denial-of-service attacks on the local network interface
Reference in New Issue View Git Blame Copy Permalink