judge4c/SECURITY.md

# Security Policy for Judge4C

## 🎯 Supported Branches & Versions

- **main** — the production-ready and officially released branch.
- **develop** — used for testing and pre-release. Not for production use.
- We only support and patch security issues on `main` and actively-maintained releases.

---

## 🛡️ Reporting a Vulnerability

We appreciate responsible disclosure! Please follow this process:

1. **Submission**
    - Preferably via GitHub’s official vulnerability reporting: **Security → Report a vulnerability**.
    
2. **Report Details**
    - Affected version or commit (e.g., `main` or specific SHA/hash).
    - Clear description and impact assessment.
    - Steps to reproduce, proof-of-concept (PoC), logs/screenshots/use cases.
    - Environment details (OS, dependencies, config, etc.).

3. **Confidentiality**
    - All vulnerability discussions will remain confidential until a fix is released.
    - We respect credit preferences—anonymous reporting is accepted.

---

## 🧭 Response Timeline

| Phase            | Target Timeline         | Description |
|------------------|-------------------------|-------------|
| Acknowledgment   | Within 5 business days  | Confirm receipt and provide a tracking reference. |
| Triage & Patching | Within 14 calendar days | Investigate, assess risk, and provide a fix or mitigation. |
| Public Disclosure | After fix release       | Publish advisory in release notes and/or security bulletin. |

---

## ⚠️ Severity Guidance

We appreciate reports of all severity levels. Example categories:

- **Critical**: Remote code execution, authentication bypass, data exfiltration.
- **High**: Privilege escalation, serious data/information leakage.
- **Medium**: XSS, CSRF, business logic issues.
- **Low**: Minor config weaknesses, non-sensitive information exposure.

---

## 🔐 Security Best Practices

We maintain the following controls and hygiene measures:

- Docker-based sandboxing for isolated C-program execution; resource-limited.
- Recommend TLS (HTTPS) for all network access and secure authentication tokens.
- Strict access controls: only administrators and teachers can perform sensitive operations.
- Dependabot and/or CodeQL for dependency & code scanning.
- GitHub branch protections on both `main` and `develop`, including required reviews, status checks, and no force-push.
- Secret scanning enabled to prevent API key leakage.

---

## 👨‍💻 Secure Development Tips

- Avoid committing secrets: use environment variables and secret management tools.
- Regular dependency updates—automated monthly scans are recommended.
- Enforce 2FA for all contributors to reduce unauthorized access risks.

---

## 📚 References & Resources

- GitHub best practices for security policies
- OWASP Vulnerability Disclosure guidelines
- Coordinated Vulnerability Disclosure in open-source

---

## 🤝 Getting Help & Acknowledgments

- File a confidential GitHub security issue 
- You can also join our community Slack/Discord channel (see README).
- For in-depth cross-project discussions, refer to GitHub Security Lab documentation.

---

## 📜 License

This policy is shared under the **MIT License**—feel free to copy or adapt.

---


Thank you for helping us keep Judge4C secure!  
— The Judge4C Development Team
-												feat: add SECURITY.md

											
										
										
											2025-06-30 08:35:33 +00:00
+								# Security Policy for Judge4C
 								## 🎯 Supported Branches & Versions
 								- **main** — the production-ready and officially released branch.
 								- **develop** — used for testing and pre-release. Not for production use.
 								- We only support and patch security issues on `main` and actively-maintained releases.
 								---
 								## 🛡️ Reporting a Vulnerability
 								We appreciate responsible disclosure! Please follow this process:
 . **Submission**
 								    - Preferably via GitHub’s official vulnerability reporting: **Security → Report a vulnerability**.
 . **Report Details**
 								    - Affected version or commit (e.g., `main` or specific SHA/hash).
 								    - Clear description and impact assessment.
 								    - Steps to reproduce, proof-of-concept (PoC), logs/screenshots/use cases.
 								    - Environment details (OS, dependencies, config, etc.).
 . **Confidentiality**
 								    - All vulnerability discussions will remain confidential until a fix is released.
 								    - We respect credit preferences—anonymous reporting is accepted.
 								---
 								## 🧭 Response Timeline
 								| Phase            | Target Timeline         | Description |
 								|------------------|-------------------------|-------------|
 								| Acknowledgment   | Within 5 business days  | Confirm receipt and provide a tracking reference. |
 								| Triage & Patching | Within 14 calendar days | Investigate, assess risk, and provide a fix or mitigation. |
 								| Public Disclosure | After fix release       | Publish advisory in release notes and/or security bulletin. |
 								---
 								## ⚠️ Severity Guidance
 								We appreciate reports of all severity levels. Example categories:
 								- **Critical**: Remote code execution, authentication bypass, data exfiltration.
 								- **High**: Privilege escalation, serious data/information leakage.
 								- **Medium**: XSS, CSRF, business logic issues.
 								- **Low**: Minor config weaknesses, non-sensitive information exposure.
 								---
 								## 🔐 Security Best Practices
 								We maintain the following controls and hygiene measures:
 								- Docker-based sandboxing for isolated C-program execution; resource-limited.
 								- Recommend TLS (HTTPS) for all network access and secure authentication tokens.
 								- Strict access controls: only administrators and teachers can perform sensitive operations.
-												docs: repair syntax errors in SECURITY.md

											
										
										
											2025-06-30 08:45:19 +00:00
+								- Dependabot and/or CodeQL for dependency & code scanning.
 								- GitHub branch protections on both `main` and `develop`, including required reviews, status checks, and no force-push.
 								- Secret scanning enabled to prevent API key leakage.
-												feat: add SECURITY.md

											
										
										
											2025-06-30 08:35:33 +00:00
 								---
 								## 👨‍💻 Secure Development Tips
-												docs: repair syntax errors in SECURITY.md

											
										
										
											2025-06-30 08:45:19 +00:00
+								- Avoid committing secrets: use environment variables and secret management tools.
 								- Regular dependency updates—automated monthly scans are recommended.
 								- Enforce 2FA for all contributors to reduce unauthorized access risks.
-												feat: add SECURITY.md

											
										
										
											2025-06-30 08:35:33 +00:00
 								---
 								## 📚 References & Resources
-												docs: repair syntax errors in SECURITY.md

											
										
										
											2025-06-30 08:45:19 +00:00
+								- GitHub best practices for security policies
 								- OWASP Vulnerability Disclosure guidelines
 								- Coordinated Vulnerability Disclosure in open-source
-												feat: add SECURITY.md

											
										
										
											2025-06-30 08:35:33 +00:00
 								---
 								## 🤝 Getting Help & Acknowledgments
 								- File a confidential GitHub security issue
 								- You can also join our community Slack/Discord channel (see README).
 								- For in-depth cross-project discussions, refer to GitHub Security Lab documentation.
 								---
 								## 📜 License
 								This policy is shared under the **MIT License**—feel free to copy or adapt.
 								---
 								Thank you for helping us keep Judge4C secure!
 								— The Judge4C Development Team