diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..ae7b12e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,97 @@ +# Security Policy for Judge4C + +## 🎯 Supported Branches & Versions + +- **main** — the production-ready and officially released branch. +- **develop** — used for testing and pre-release. Not for production use. +- We only support and patch security issues on `main` and actively-maintained releases. + +--- + +## 🛡️ Reporting a Vulnerability + +We appreciate responsible disclosure! Please follow this process: + +1. **Submission** + - Preferably via GitHub’s official vulnerability reporting: **Security → Report a vulnerability**. + +2. **Report Details** + - Affected version or commit (e.g., `main` or specific SHA/hash). + - Clear description and impact assessment. + - Steps to reproduce, proof-of-concept (PoC), logs/screenshots/use cases. + - Environment details (OS, dependencies, config, etc.). + +3. **Confidentiality** + - All vulnerability discussions will remain confidential until a fix is released. + - We respect credit preferences—anonymous reporting is accepted. + +--- + +## 🧭 Response Timeline + +| Phase | Target Timeline | Description | +|------------------|-------------------------|-------------| +| Acknowledgment | Within 5 business days | Confirm receipt and provide a tracking reference. | +| Triage & Patching | Within 14 calendar days | Investigate, assess risk, and provide a fix or mitigation. | +| Public Disclosure | After fix release | Publish advisory in release notes and/or security bulletin. | + +--- + +## ⚠️ Severity Guidance + +We appreciate reports of all severity levels. Example categories: + +- **Critical**: Remote code execution, authentication bypass, data exfiltration. +- **High**: Privilege escalation, serious data/information leakage. +- **Medium**: XSS, CSRF, business logic issues. +- **Low**: Minor config weaknesses, non-sensitive information exposure. + +--- + +## 🔐 Security Best Practices + +We maintain the following controls and hygiene measures: + +- Docker-based sandboxing for isolated C-program execution; resource-limited. +- Recommend TLS (HTTPS) for all network access and secure authentication tokens. +- Strict access controls: only administrators and teachers can perform sensitive operations. +- Dependabot and/or CodeQL for dependency & code scanning :contentReference[oaicite:1]{index=1}. +- GitHub branch protections on both `main` and `develop`, including required reviews, status checks, and no force-push. :contentReference[oaicite:2]{index=2} +- Secret scanning enabled to prevent API key leakage. :contentReference[oaicite:3]{index=3} + +--- + +## 👨‍💻 Secure Development Tips + +- Avoid committing secrets: use environment variables and secret management tools. :contentReference[oaicite:4]{index=4} +- Regular dependency updates—automated monthly scans are recommended. :contentReference[oaicite:5]{index=5} +- Enforce 2FA for all contributors to reduce unauthorized access risks. :contentReference[oaicite:6]{index=6} + +--- + +## 📚 References & Resources + +- GitHub best practices for security policies :contentReference[oaicite:7]{index=7} +- OWASP Vulnerability Disclosure guidelines :contentReference[oaicite:8]{index=8} +- Coordinated Vulnerability Disclosure in open-source :contentReference[oaicite:9]{index=9} + +--- + +## 🤝 Getting Help & Acknowledgments + +- File a confidential GitHub security issue +- You can also join our community Slack/Discord channel (see README). +- For in-depth cross-project discussions, refer to GitHub Security Lab documentation. + +--- + +## 📜 License + +This policy is shared under the **MIT License**—feel free to copy or adapt. + +--- + + + +Thank you for helping us keep Judge4C secure! +— The Judge4C Development Team