chore: create SECURITY.md

2025-05-10 09:55:48 +02:00 · 2025-02-01 10:32:28 +08:00 · 2025-02-01 10:32:28 +08:00 · 66639e0d19
commit 66639e0d19
parent 437411bba2
1 changed files with 35 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,35 @@
+# Security Policy
+
+## Supported Versions
+
+Security support status for currently maintained versions:
+
+| Version | Support Status        |
+|---------|-----------------------|
+| 2.x     | ✅ Actively Maintained |
+| 1.x     | ❌ End of Life         |
+
+## Vulnerability Reporting
+
+### Submit Vulnerability
+Please submit reports via [GitHub Security Advisory](https://github.com/0xJacky/nginx-ui/security/advisories/new) with:
+- Affected version(s)
+- Detailed vulnerability description
+- Reproducible PoC (Proof of Concept)
+- Environment configuration details
+
+### Handling Process
+- Valid reports will be tracked through private advisory channels
+- Within 21-31 days after remediation:
+  - Request CVE identifier from numbering authorities
+  - Publish technical details on GitHub Advisory
+  - Update Release Notes with impact assessment
+
+### Requirements
+- **Testing Restrictions**: All security validation must be conducted in locally built isolated environments. Online demo systems are strictly prohibited for testing purposes
+- **Environment Isolation**: Testing environments must be network-segregated from production systems. Test traffic must not leak beyond isolated networks
+- Destructive testing is prohibited without explicit authorization
+- Adhere to Coordinated Disclosure principles
+- Vulnerability details must remain confidential until public disclosure
+
+> Security researchers will be acknowledged in project credits based on contribution significance