diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..89a50c6 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,84 @@ +# Security Policy — @kyonax/org2html + +## Supported Versions + +These versions of **@kyonax/org2html** currently receive security patches and updates. + +| Version | Supported | +|--------|-----------| +| 1.x.x | ✔️ Active (current major) | +| 0.x.x | ❌ Unsupported | + +**Note:** +Using semantic versioning means only the latest minor/patch versions within an active major release are guaranteed to receive fixes. + +--- + +## Reporting a Vulnerability + +We take the security of this project seriously. +If you discover a security issue, please follow this responsible disclosure process. + +### 1. Contact Method + +Please report vulnerabilities privately via email: + +**📧 kyonax.corp@gmail.com** + +Do **not** create public GitHub issues for vulnerabilities. +All security reports must remain private until a fix is available. + +--- + +### 2. What to Include in a Report + +To help us investigate efficiently, please include: + +- A clear and concise description of the vulnerability +- Steps to reproduce the issue +- Your environment details (Node version, OS, CLI version) +- The potential impact (e.g., data exposure, code execution) +- A minimal reproducible example (if possible) + +--- + +### 3. Response Time Expectations + +We aim to handle security reports promptly: + +| Stage | Expected Time | +|-------|---------------| +| Acknowledgement | **48–72 hours** | +| Initial investigation | **3–7 days** | +| Fix development | **Varies by severity** | +| Release of security advisory | With the patch | + +You will receive updates throughout the entire process. + +--- + +### 4. Disclosure Policy + +- Confirmed vulnerabilities will be fixed privately. +- A public **security advisory** will be published after the patch is released. +- Reporters may be credited for their discovery (optional). + +--- + +## License & Security Expectations (LGPL v3) + +Since this project is licensed under **LGPL v3**, users and contributors are expected to: + +- Keep modifications to the library open-source +- Distribute security fixes under LGPL-compatible terms +- Avoid removing or bypassing safety or sandboxing mechanisms +- Inform maintainers about any discovered vulnerabilities whenever possible + +This ensures the project remains safe and reliable for the entire community. + +--- + +## Thank You + +Thank you for helping improve the security and stability of **@kyonax/org2html**. +Your contributions make the ecosystem safer for everyone.