docs: add “Security posture” to README and refresh SECURITY.md

2025-10-19 07:54:27 -04:00
parent 169e03be5d
commit 3843daa228
2 changed files with 56 additions and 21 deletions
--- a/README.md
+++ b/README.md
@@ -13,6 +13,8 @@
 **Elevate your File Management** – A modern, self-hosted web file manager.
 Upload, organize, and share files or folders through a sleek web interface. **FileRise** is lightweight yet powerful: think of it as your personal cloud drive that you control. With drag-and-drop uploads, in-browser editing, secure user logins (with SSO and 2FA support), and one-click sharing, **FileRise** makes file management on your server a breeze.
 > ⚠️ **Security fix in v1.5.0** — ACL hardening. If you’re on ≤1.4.x, please upgrade.
 **4/3/2025 Video demo:**
 <https://github.com/user-attachments/assets/221f6a53-85f5-48d4-9abe-89445e0af90e>
@@ -282,6 +284,16 @@ For more Q&A or to ask for help, open a Discussion or Issue.
 ---
 ## Security posture
 We practice responsible disclosure. All known security issues are fixed in **v1.5.0** (ACL hardening).
 Advisories: [GHSA-6p87-q9rh-95wh](https://github.com/error311/FileRise/security/advisories/GHSA-6p87-q9rh-95wh) (≤ 1.3.15), [GHSA-jm96-2w52-5qjj](https://github.com/error311/FileRise/security/advisories/GHSA-jm96-2w52-5qjj) (v1.4.0). Fixed in **v1.5.0**. Thanks to [@kiwi865](https://github.com/kiwi865) for reporting.
 If you’re running ≤1.4.x, please upgrade.
 See also: [SECURITY.md](./SECURITY.md) for how to report vulnerabilities.
 ---
 ## Contributing
 Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md).  
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,35 +4,58 @@
 We provide security fixes for the latest minor release line.
-| Version     | Supported |
+| Version   | Supported |
-|------------|-----------|
+|----------|-----------|
-| v1.5.x     | ✅        |
+| v1.5.x   | ✅        |
-| < v1.5.0   | ❌        |
+| ≤ v1.4.x | ❌        |
 > Known issues in ≤ v1.4.x are fixed in **v1.5.0** and later.
 ## Reporting a Vulnerability
-If you discover a security vulnerability, please do not open a public issue. Instead, follow these steps:
+**Please do not open a public issue.** Use one of the private channels below:
-1. **Email Us Privately:**  
+1) **GitHub Security Advisory (preferred)**  
-   Send an email to [security@filerise.net](mailto:security@filerise.net) with the subject line “[FileRise] Security Vulnerability Report”.
+   Open a private report here: <https://github.com/error311/FileRise/security/advisories/new>
-2. **Include Details:**  
+2) **Email**  
-   Provide a detailed description of the vulnerability, steps to reproduce it, and any other relevant information (e.g., affected versions, screenshots, logs).
+   Send details to **<security@filerise.net>** with subject: `[FileRise] Security Vulnerability Report`.
-3. **Secure Communication (Optional):**  
+### What to include
   If you wish to discuss the vulnerability securely, you can use our PGP key. You can obtain our PGP key by emailing us, and we will send it upon request.
-## Disclosure Policy
+- Affected versions (e.g., v1.4.0), component/endpoint, and impact
 - Reproduction steps / PoC
 - Any logs, screenshots, or crash traces
 - Safe test scope used (see below)
- **Acknowledgement:**  
+If you’d like encrypted comms, ask for our PGP key in your first email.
  We will acknowledge receipt of your report within 48 hours.
- **Resolution Timeline:**  
+## Coordinated Disclosure
  We aim to fix confirmed vulnerabilities within 30 days. In cases where a delay is necessary, we will communicate updates to you directly.
- **Public Disclosure:**  
+- **Acknowledgement:** within **48 hours**  
-  After a fix is available, details of the vulnerability will be disclosed publicly in a way that does not compromise user security.
+- **Triage & initial assessment:** within **7 days**  
 - **Fix target:** within **30 days** for high-severity issues (may vary by complexity)
 - **CVE & advisory:** we publish a GitHub Security Advisory and request a CVE when appropriate.  
  We notify the reporter before public disclosure and credit them (unless they prefer to remain anonymous).
-## Additional Information
+## Safe-Harbor / Rules of Engagement
-We appreciate responsible disclosure of vulnerabilities and thank all researchers who help keep FileRise secure. For any questions related to this policy, please contact us at [admin@filerise.net](mailto:admin@filerise.net).
+We support good-faith research. Please:
 - Avoid privacy violations, data exfiltration, and service disruption (no DoS, spam, or brute-forcing)
 - Don’t access other users’ data beyond what’s necessary to demonstrate the issue
 - Don’t run automated scans against production installs you don’t own
 - Follow applicable laws and make a good-faith effort to respect data and availability
 If you follow these guidelines, we won’t pursue or support legal action.
 ## Published Advisories
 - **GHSA-6p87-q9rh-95wh** — ≤ **1.3.15**: Improper ownership/permission validation allowed cross-tenant file operations.  
 - **GHSA-jm96-2w52-5qjj** — **v1.4.0**: Insecure folder visibility via name-based mapping and incomplete ACL checks.  
 Both are fixed in **v1.5.0** (ACL hardening). Thanks to **[@kiwi865](https://github.com/kiwi865)** for responsible disclosure.
 ## Questions
 General security questions: **<admin@filerise.net>**