diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..7f29d29 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,90 @@ + + +# Security Policy + +## Supported Versions + +| Version | Supported | +|---|---| +| Latest stable | ✅ Full support | +| Previous major | ⚠️ Critical fixes only | +| Older | ❌ No support | + +## Reporting a Vulnerability + +**Do not report security vulnerabilities via public issues.** + +Instead, please report them privately: + +1. **Email**: [security@mokoconsulting.tech](mailto:security@mokoconsulting.tech) +2. **Subject**: `[SECURITY] - ` + +### What to Include + +- Description of the vulnerability +- Steps to reproduce +- Affected versions +- Potential impact +- Suggested fix (if any) + +## Severity Classification + +| Severity | Description | Response Time | +|---|---|---| +| **Critical** | Remote code execution, SQL injection, auth bypass | 24 hours | +| **High** | XSS, CSRF, privilege escalation | 48 hours | +| **Medium** | Information disclosure, path traversal | 72 hours | +| **Low** | Best practice violation, hardening suggestion | Next release | + +## Remediation Timeline + +1. **Acknowledgement**: Within 24 hours of report +2. **Assessment**: Within 72 hours +3. **Fix development**: Based on severity +4. **Release**: Patch release with security advisory +5. **Disclosure**: Coordinated disclosure after fix is available + +## Security Best Practices + +### For Contributors + +- Never commit secrets, credentials, or API keys +- Use parameterised queries (no raw SQL concatenation) +- Validate and sanitise all user input +- Follow Joomla API for access control checks +- Use Joomla's `HTMLHelper` for output escaping +- Include SPDX license headers in all source files + +### For Users + +- Keep Joomla and all extensions updated +- Use strong, unique passwords +- Enable two-factor authentication +- Review file permissions regularly +- Monitor Joomla error logs + +## Security Updates + +Security patches are delivered through the standard update channel. +Critical fixes may receive an emergency out-of-band release. + +## Responsible Disclosure + +We follow coordinated disclosure practices: + +- We will work with reporters to understand and reproduce the issue +- We will develop and test a fix +- We will credit reporters (with permission) in security advisories +- We ask that reporters allow reasonable time for a fix before public disclosure + +## Contact + +- **Security team**: [security@mokoconsulting.tech](mailto:security@mokoconsulting.tech) +- **General**: [hello@mokoconsulting.tech](mailto:hello@mokoconsulting.tech) + +--- + +Thank you for helping keep Moko Consulting projects secure.