Skip to content

Security: JVKeller/horilla

Security

SECURITY.md

Horilla Open Source Project - Security Guidelines

Thank you for your interest in contributing to the Horilla open-source project. We take security seriously and value the community's efforts in helping us identify and address security vulnerabilities. This document outlines the security guidelines for reporting and addressing security issues within the Horilla project.

Reporting Security Issues

If you discover a security vulnerability in the Horilla project, please follow these steps to report it:

  1. Do Not create a public GitHub issue for the security vulnerability.
  2. Do Not disclose the vulnerability details publicly until the issue has been resolved.
  3. Notify the project maintainers by sending an email to [email protected]. Include a detailed description of the vulnerability, including the potential impact and any relevant technical details.
  4. A project maintainer will respond to your email within 72 hours to acknowledge the report and begin the investigation process.
  5. Once the security vulnerability has been verified and validated, we will work on a fix.
  6. We will collaborate with you to coordinate the release of the fix and any necessary announcements.

Vulnerability Handling

Horilla project follows these principles when handling security vulnerabilities:

  • Swift Response: We strive to respond to and address security vulnerabilities as quickly as possible. The time to resolution may vary depending on the complexity of the issue, but we will keep you updated on our progress.
  • Coordinated Disclosure: We follow a coordinated disclosure process, meaning we work with the reporter to ensure that the vulnerability is disclosed responsibly. This may involve a joint announcement or other measures to protect users until a fix is available.
  • Public Disclosure: Once the vulnerability is fixed and released, we will publicly acknowledge your contribution to the security of the project, unless you prefer to remain anonymous.

Security Best Practices

For contributors to the Horilla project, we recommend the following security best practices:

  • Code Review: Perform thorough code reviews to identify and address security issues before they are merged into the project's codebase.
  • Secure Dependencies: Regularly update and monitor the project's dependencies for security vulnerabilities. Use trusted and well-maintained packages.
  • Authentication and Authorization: Implement strong authentication and authorization mechanisms to prevent unauthorized access to sensitive resources.
  • Data Validation: Validate and sanitize all user inputs to prevent common security vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and more.
  • Secure Configuration: Store sensitive configuration and credentials securely, and avoid hardcoding secrets in your codebase.
  • Sensitive Data Handling: Handle sensitive data, such as passwords and tokens, with care. Store them securely using encryption and follow industry best practices for data protection.
  • Regular Security Audits: Conduct periodic security audits and assessments of the project's codebase and infrastructure.

Disclaimer

The Horilla project and its maintainers assume no liability for any security vulnerabilities reported or discovered. We do, however, greatly appreciate your help in keeping the project secure.

Contact

If you have any questions or concerns about the security guidelines or the project's security practices, please contact us at [email protected].

There aren’t any published security advisories