From 3843daa228e7c586445d6b52899e4f886aa45d2b Mon Sep 17 00:00:00 2001 From: Ryan Date: Sun, 19 Oct 2025 07:54:27 -0400 Subject: [PATCH] =?UTF-8?q?docs:=20add=20=E2=80=9CSecurity=20posture?= =?UTF-8?q?=E2=80=9D=20to=20README=20and=20refresh=20SECURITY.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 12 ++++++++++ SECURITY.md | 65 ++++++++++++++++++++++++++++++++++++----------------- 2 files changed, 56 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 5c44a54..0ad48d7 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,8 @@ **Elevate your File Management** – A modern, self-hosted web file manager. Upload, organize, and share files or folders through a sleek web interface. **FileRise** is lightweight yet powerful: think of it as your personal cloud drive that you control. With drag-and-drop uploads, in-browser editing, secure user logins (with SSO and 2FA support), and one-click sharing, **FileRise** makes file management on your server a breeze. +> ⚠️ **Security fix in v1.5.0** — ACL hardening. If you’re on ≤1.4.x, please upgrade. + **4/3/2025 Video demo:** @@ -282,6 +284,16 @@ For more Q&A or to ask for help, open a Discussion or Issue. --- +## Security posture + +We practice responsible disclosure. All known security issues are fixed in **v1.5.0** (ACL hardening). +Advisories: [GHSA-6p87-q9rh-95wh](https://github.com/error311/FileRise/security/advisories/GHSA-6p87-q9rh-95wh) (≤ 1.3.15), [GHSA-jm96-2w52-5qjj](https://github.com/error311/FileRise/security/advisories/GHSA-jm96-2w52-5qjj) (v1.4.0). Fixed in **v1.5.0**. Thanks to [@kiwi865](https://github.com/kiwi865) for reporting. +If you’re running ≤1.4.x, please upgrade. + +See also: [SECURITY.md](./SECURITY.md) for how to report vulnerabilities. + +--- + ## Contributing Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md). diff --git a/SECURITY.md b/SECURITY.md index e5430ea..0657797 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,35 +4,58 @@ We provide security fixes for the latest minor release line. -| Version | Supported | -|------------|-----------| -| v1.5.x | ✅ | -| < v1.5.0 | ❌ | +| Version | Supported | +|----------|-----------| +| v1.5.x | ✅ | +| ≤ v1.4.x | ❌ | + +> Known issues in ≤ v1.4.x are fixed in **v1.5.0** and later. ## Reporting a Vulnerability -If you discover a security vulnerability, please do not open a public issue. Instead, follow these steps: +**Please do not open a public issue.** Use one of the private channels below: -1. **Email Us Privately:** - Send an email to [security@filerise.net](mailto:security@filerise.net) with the subject line “[FileRise] Security Vulnerability Report”. +1) **GitHub Security Advisory (preferred)** + Open a private report here: -2. **Include Details:** - Provide a detailed description of the vulnerability, steps to reproduce it, and any other relevant information (e.g., affected versions, screenshots, logs). +2) **Email** + Send details to **** with subject: `[FileRise] Security Vulnerability Report`. -3. **Secure Communication (Optional):** - If you wish to discuss the vulnerability securely, you can use our PGP key. You can obtain our PGP key by emailing us, and we will send it upon request. +### What to include -## Disclosure Policy +- Affected versions (e.g., v1.4.0), component/endpoint, and impact +- Reproduction steps / PoC +- Any logs, screenshots, or crash traces +- Safe test scope used (see below) -- **Acknowledgement:** - We will acknowledge receipt of your report within 48 hours. - -- **Resolution Timeline:** - We aim to fix confirmed vulnerabilities within 30 days. In cases where a delay is necessary, we will communicate updates to you directly. +If you’d like encrypted comms, ask for our PGP key in your first email. -- **Public Disclosure:** - After a fix is available, details of the vulnerability will be disclosed publicly in a way that does not compromise user security. +## Coordinated Disclosure -## Additional Information +- **Acknowledgement:** within **48 hours** +- **Triage & initial assessment:** within **7 days** +- **Fix target:** within **30 days** for high-severity issues (may vary by complexity) +- **CVE & advisory:** we publish a GitHub Security Advisory and request a CVE when appropriate. + We notify the reporter before public disclosure and credit them (unless they prefer to remain anonymous). -We appreciate responsible disclosure of vulnerabilities and thank all researchers who help keep FileRise secure. For any questions related to this policy, please contact us at [admin@filerise.net](mailto:admin@filerise.net). +## Safe-Harbor / Rules of Engagement + +We support good-faith research. Please: + +- Avoid privacy violations, data exfiltration, and service disruption (no DoS, spam, or brute-forcing) +- Don’t access other users’ data beyond what’s necessary to demonstrate the issue +- Don’t run automated scans against production installs you don’t own +- Follow applicable laws and make a good-faith effort to respect data and availability + +If you follow these guidelines, we won’t pursue or support legal action. + +## Published Advisories + +- **GHSA-6p87-q9rh-95wh** — ≤ **1.3.15**: Improper ownership/permission validation allowed cross-tenant file operations. +- **GHSA-jm96-2w52-5qjj** — **v1.4.0**: Insecure folder visibility via name-based mapping and incomplete ACL checks. + +Both are fixed in **v1.5.0** (ACL hardening). Thanks to **[@kiwi865](https://github.com/kiwi865)** for responsible disclosure. + +## Questions + +General security questions: ****