Massbug/judge4c
2
0
Fork 0
mirror of https://github.com/massbug/judge4c.git synced 2025-07-03 15:20:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
dd7d5a3c9c
judge4c/SECURITY.md
fly6516 dd7d5a3c9c
develop-SECURITY.md (#51) 
* feat: add SECURITY.md

* docs: repair syntax errors in SECURITY.md
2025-07-01 06:19:53 +00:00

3.2 KiB
Raw Blame History

Security Policy for Judge4C

🎯 Supported Branches & Versions

  • main — the production-ready and officially released branch.
  • develop — used for testing and pre-release. Not for production use.
  • We only support and patch security issues on main and actively-maintained releases.

🛡️ Reporting a Vulnerability

We appreciate responsible disclosure! Please follow this process:

  1. Submission

    • Preferably via GitHubs official vulnerability reporting: Security → Report a vulnerability.

  2. Report Details

    • Affected version or commit (e.g., main or specific SHA/hash).
    • Clear description and impact assessment.
    • Steps to reproduce, proof-of-concept (PoC), logs/screenshots/use cases.
    • Environment details (OS, dependencies, config, etc.).

  3. Confidentiality

    • All vulnerability discussions will remain confidential until a fix is released.
    • We respect credit preferences—anonymous reporting is accepted.

🧭 Response Timeline

Phase Target Timeline Description
Acknowledgment Within 5 business days Confirm receipt and provide a tracking reference.
Triage & Patching Within 14 calendar days Investigate, assess risk, and provide a fix or mitigation.
Public Disclosure After fix release Publish advisory in release notes and/or security bulletin.

⚠️ Severity Guidance

We appreciate reports of all severity levels. Example categories:

  • Critical: Remote code execution, authentication bypass, data exfiltration.
  • High: Privilege escalation, serious data/information leakage.
  • Medium: XSS, CSRF, business logic issues.
  • Low: Minor config weaknesses, non-sensitive information exposure.

🔐 Security Best Practices

We maintain the following controls and hygiene measures:

  • Docker-based sandboxing for isolated C-program execution; resource-limited.
  • Recommend TLS (HTTPS) for all network access and secure authentication tokens.
  • Strict access controls: only administrators and teachers can perform sensitive operations.
  • Dependabot and/or CodeQL for dependency & code scanning.
  • GitHub branch protections on both main and develop, including required reviews, status checks, and no force-push.
  • Secret scanning enabled to prevent API key leakage.

👨‍💻 Secure Development Tips

  • Avoid committing secrets: use environment variables and secret management tools.
  • Regular dependency updates—automated monthly scans are recommended.
  • Enforce 2FA for all contributors to reduce unauthorized access risks.

📚 References & Resources

  • GitHub best practices for security policies
  • OWASP Vulnerability Disclosure guidelines
  • Coordinated Vulnerability Disclosure in open-source

🤝 Getting Help & Acknowledgments

  • File a confidential GitHub security issue
  • You can also join our community Slack/Discord channel (see README).
  • For in-depth cross-project discussions, refer to GitHub Security Lab documentation.

📜 License

This policy is shared under the MIT License—feel free to copy or adapt.

Thank you for helping us keep Judge4C secure!
— The Judge4C Development Team