<!--
 Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 SPDX-License-Identifier: GPL-3.0-or-later
-->

# Security Policy

## Supported Versions

| Version | Supported |
|---|---|
| Latest stable | ✅ Full support |
| Previous major | ⚠️ Critical fixes only |
| Older | ❌ No support |

## Reporting a Vulnerability

**Do not report security vulnerabilities via public issues.**

Instead, please report them privately:

1. **Email**: [security@mokoconsulting.tech](mailto:security@mokoconsulting.tech)
2. **Subject**: `[SECURITY] <Repository Name> - <Brief Description>`

### What to Include

- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if any)

## Severity Classification

| Severity | Description | Response Time |
|---|---|---|
| **Critical** | Remote code execution, SQL injection, auth bypass | 24 hours |
| **High** | XSS, CSRF, privilege escalation | 48 hours |
| **Medium** | Information disclosure, path traversal | 72 hours |
| **Low** | Best practice violation, hardening suggestion | Next release |

## Remediation Timeline

1. **Acknowledgement**: Within 24 hours of report
2. **Assessment**: Within 72 hours
3. **Fix development**: Based on severity
4. **Release**: Patch release with security advisory
5. **Disclosure**: Coordinated disclosure after fix is available

## Security Best Practices

### For Contributors

- Never commit secrets, credentials, or API keys
- Use parameterised queries (no raw SQL concatenation)
- Validate and sanitise all user input
- Follow Joomla API for access control checks
- Use Joomla's `HTMLHelper` for output escaping
- Include SPDX license headers in all source files

### For Users

- Keep Joomla and all extensions updated
- Use strong, unique passwords
- Enable two-factor authentication
- Review file permissions regularly
- Monitor Joomla error logs

## Security Updates

Security patches are delivered through the standard update channel.
Critical fixes may receive an emergency out-of-band release.

## Responsible Disclosure

We follow coordinated disclosure practices:

- We will work with reporters to understand and reproduce the issue
- We will develop and test a fix
- We will credit reporters (with permission) in security advisories
- We ask that reporters allow reasonable time for a fix before public disclosure

## Contact

- **Security team**: [security@mokoconsulting.tech](mailto:security@mokoconsulting.tech)
- **General**: [hello@mokoconsulting.tech](mailto:hello@mokoconsulting.tech)

---

Thank you for helping keep Moko Consulting projects secure.