joachim/FileRise
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
827e65e36772c0b51b76adb59874b888634308ff
FileRise/SECURITY.md

62 lines
2.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Security Policy
## Supported Versions
We provide security fixes for the latest minor release line.
| Version | Supported |
|----------|-----------|
| v1.5.x | ✅ |
| ≤ v1.4.x | ❌ |
> Known issues in ≤ v1.4.x are fixed in **v1.5.0** and later.
## Reporting a Vulnerability
**Please do not open a public issue.** Use one of the private channels below:
1) **GitHub Security Advisory (preferred)**
Open a private report here: <https://github.com/error311/FileRise/security/advisories/new>
2) **Email**
Send details to **<security@filerise.net>** with subject: `[FileRise] Security Vulnerability Report`.
### What to include
- Affected versions (e.g., v1.4.0), component/endpoint, and impact
- Reproduction steps / PoC
- Any logs, screenshots, or crash traces
- Safe test scope used (see below)
If youd like encrypted comms, ask for our PGP key in your first email.
## Coordinated Disclosure
- **Acknowledgement:** within **48 hours**
- **Triage & initial assessment:** within **7 days**
- **Fix target:** within **30 days** for high-severity issues (may vary by complexity)
- **CVE & advisory:** we publish a GitHub Security Advisory and request a CVE when appropriate.
We notify the reporter before public disclosure and credit them (unless they prefer to remain anonymous).
## Safe-Harbor / Rules of Engagement
We support good-faith research. Please:
- Avoid privacy violations, data exfiltration, and service disruption (no DoS, spam, or brute-forcing)
- Dont access other users data beyond whats necessary to demonstrate the issue
- Dont run automated scans against production installs you dont own
- Follow applicable laws and make a good-faith effort to respect data and availability
If you follow these guidelines, we wont pursue or support legal action.
## Published Advisories
- **GHSA-6p87-q9rh-95wh** — ≤ **1.3.15**: Improper ownership/permission validation allowed cross-tenant file operations.
- **GHSA-jm96-2w52-5qjj** — **v1.4.0**: Insecure folder visibility via name-based mapping and incomplete ACL checks.
Both are fixed in **v1.5.0** (ACL hardening). Thanks to **[@kiwi865](https://github.com/kiwi865)** for responsible disclosure.
## Questions
General security questions: **<admin@filerise.net>**
Reference in New Issue View Git Blame Copy Permalink