Evercatch/.profile
5
0
Fork 0
Code Issues Pull Requests Actions Activity
Files
07502a6b266f34324e7f0ce88a0c4aec4f279c8a
.profile/SECURITY.md
Puranjay Savar Mattas 8176118c0f Add complete community documentation 
- README.md: Product overview + issue tracker landing
- SECURITY.md: Responsible disclosure policy
- CODE_OF_CONDUCT.md: Community guidelines
- CONTRIBUTING.md: How to contribute
- SUPPORT.md: Comprehensive support guide
- Issue templates: Bug, feature, support, docs, security

All references updated to evercatch.dev domain.
2026-02-13 15:34:23 +00:00

100 lines
3.0 KiB
Markdown
Raw Blame History

# Security Policy
## Reporting a Vulnerability
**We take security seriously.** If you discover a security vulnerability, please report it responsibly.
### 🔒 How to Report
**Email:** [security@evercatch.dev](mailto:security@evercatch.dev)
**DO NOT:**
- ❌ Open a public GitHub/Gitea issue
- ❌ Disclose the vulnerability publicly
- ❌ Exploit the vulnerability
**DO:**
- ✅ Email us with detailed information
- ✅ Give us reasonable time to fix it
- ✅ Follow responsible disclosure practices
### 📧 What to Include
Please include as much information as possible:
- **Description** - What is the vulnerability?
- **Impact** - What could an attacker do?
- **Steps to Reproduce** - How can we reproduce it?
- **Proof of Concept** - Code, screenshots, or examples
- **Suggested Fix** - If you have ideas
- **Your Contact Info** - For follow-up questions
### ⏱️ Our Response Process
1. **Acknowledgment** - We'll respond within 24 hours
2. **Assessment** - We'll evaluate severity and impact
3. **Updates** - We'll provide updates every 48 hours
4. **Fix** - We'll develop and test a patch
5. **Disclosure** - We'll coordinate public disclosure with you
6. **Credit** - We'll credit you in our security advisory (if desired)
### 🎯 Severity Levels
| Level | Description | Response Time |
|-------|-------------|---------------|
| **Critical** | Data breach, RCE, privilege escalation | 24 hours |
| **High** | Auth bypass, SQL injection, XSS | 48 hours |
| **Medium** | CSRF, info disclosure, DoS | 1 week |
| **Low** | Security misconfigurations | 2 weeks |
### 💰 Bug Bounty Program
We currently don't have a formal bug bounty program, but we may provide:
- 🎁 Swag (t-shirts, stickers)
- 💳 Free subscription upgrades
- 💵 Monetary rewards for critical vulnerabilities (case-by-case)
- 🏆 Public recognition (if desired)
### ✅ In Scope
- API endpoints (api.evercatch.dev)
- Web dashboard (app.evercatch.dev)
- Authentication/authorization
- Data storage and access controls
- Webhook forwarding logic
- Billing system
### ❌ Out of Scope
- Social engineering attacks
- Physical attacks
- DoS/DDoS attacks
- Spam or abuse of service
- Issues in third-party services (Stripe, SendGrid, etc.)
- Theoretical vulnerabilities without proof of concept
### 🛡️ Security Measures We Take
- **Encryption** - TLS 1.3 in transit, AES-256 at rest
- **Authentication** - API keys hashed with bcrypt
- **Rate Limiting** - Per-tier limits prevent abuse
- **Input Validation** - All inputs sanitized
- **Monitoring** - 24/7 monitoring for suspicious activity
- **Audits** - Regular security audits
- **Compliance** - SOC2 Type II (planned Q2 2026)
### 📜 Security Advisories
Past security advisories: [evercatch.dev/security](https://evercatch.dev/security)
### 📞 Contact
- **Security Team:** security@evercatch.dev
- **PGP Key:** [Download](https://evercatch.dev/pgp)
- **Status Page:** [status.evercatch.dev](https://status.evercatch.dev)
---
**Thank you for helping keep Evercatch and our users safe!** 🔐
Reference in New Issue View Git Blame Copy Permalink