MokoConsulting/MokoSuiteBackup
1
0
Fork 0
Code Issues 3 Pull Requests 1 Releases 2 Wiki Activity

chore: add SECURITY.md from Template-Joomla
Universal: Auto Version Bump / Version Bump (push) Successful in 14s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Successful in 29s
Details

Browse Source
This commit is contained in:
Jonathan Miller
2026-06-28 07:15:34 +00:00
parent 9757658c34
commit b56e4060bf
1 changed files with 90 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SECURITY.md
+90
View File
@@ -0,0 +1,90 @@
<!--
Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
SPDX-License-Identifier: GPL-3.0-or-later
-->
# Security Policy
## Supported Versions
| Version | Supported |
|---|---|
| Latest stable | ✅ Full support |
| Previous major | ⚠️ Critical fixes only |
| Older | ❌ No support |
## Reporting a Vulnerability
**Do not report security vulnerabilities via public issues.**
Instead, please report them privately:
1. **Email**: [security@mokoconsulting.tech](mailto:security@mokoconsulting.tech)
2. **Subject**: `[SECURITY] <Repository Name> - <Brief Description>`
### What to Include
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if any)
## Severity Classification
| Severity | Description | Response Time |
|---|---|---|
| **Critical** | Remote code execution, SQL injection, auth bypass | 24 hours |
| **High** | XSS, CSRF, privilege escalation | 48 hours |
| **Medium** | Information disclosure, path traversal | 72 hours |
| **Low** | Best practice violation, hardening suggestion | Next release |
## Remediation Timeline
1. **Acknowledgement**: Within 24 hours of report
2. **Assessment**: Within 72 hours
3. **Fix development**: Based on severity
4. **Release**: Patch release with security advisory
5. **Disclosure**: Coordinated disclosure after fix is available
## Security Best Practices
### For Contributors
- Never commit secrets, credentials, or API keys
- Use parameterised queries (no raw SQL concatenation)
- Validate and sanitise all user input
- Follow Joomla API for access control checks
- Use Joomla's `HTMLHelper` for output escaping
- Include SPDX license headers in all source files
### For Users
- Keep Joomla and all extensions updated
- Use strong, unique passwords
- Enable two-factor authentication
- Review file permissions regularly
- Monitor Joomla error logs
## Security Updates
Security patches are delivered through the standard update channel.
Critical fixes may receive an emergency out-of-band release.
## Responsible Disclosure
We follow coordinated disclosure practices:
- We will work with reporters to understand and reproduce the issue
- We will develop and test a fix
- We will credit reporters (with permission) in security advisories
- We ask that reporters allow reasonable time for a fix before public disclosure
## Contact
- **Security team**: [security@mokoconsulting.tech](mailto:security@mokoconsulting.tech)
- **General**: [hello@mokoconsulting.tech](mailto:hello@mokoconsulting.tech)
---
Thank you for helping keep Moko Consulting projects secure.