Skip to content

docs: Create SECURITY.md #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
DylanDevelops merged 1 commit into from
Dec 17, 2025
Merged

docs: Create SECURITY.md #15

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# Security Policy

## Supported Versions

We release security updates for the following versions of tmpo:

| Version | Supported |
| ------- | ------------------ |
| 0.1.x | :white_check_mark: |
| < 0.1.0 | :x: |

We recommend always using the latest stable release to ensure you have the most recent security patches.

## Security Considerations

tmpo is a local-first CLI tool that stores time tracking data on your machine. Here are some security aspects to be aware of:

### **Local Data Storage**

- All time entries are stored in a SQLite database at `$HOME/.tmpo/tmpo.db`
- The database is only accessible to your user account (standard file permissions apply)
- No data is transmitted over the network

### **Configuration Files**

- `.tmporc` files may contain project-specific configuration including hourly rates
- These files are stored in plain text and inherit directory permissions
- Be cautious when committing `.tmporc` files to version control if they contain sensitive rate information

### **Git Integration**

- tmpo uses Git commands for automatic project detection
- Only basic Git metadata (repository name) is accessed
- No Git credentials or remote repository data is used

## Reporting a Vulnerability

If you discover a security vulnerability in tmpo, please report it responsibly:

### **Preferred Method:**

[Report via GitHub Security Advisories](https://github.com/DylanDevelops/tmpo/security/advisories/new)

### **What to Include:**

- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions (if known)
- Potential impact
- Any suggested fixes (optional)

### **Response Timeline:**

- We will acknowledge your report within 48 hours
- We will provide an initial assessment within 5 business days
- We will work to release a fix as quickly as possible depending on severity

### **Responsible Disclosure:**

Please do not publicly disclose the vulnerability until we have had a chance to address it and release a fix. We will credit security researchers who report valid vulnerabilities (unless you prefer to remain anonymous).

## Security Best Practices

When using tmpo, we recommend:

- Keep your tmpo binary updated to the latest version
- Be mindful of what information you include in time entry descriptions
- Review `.tmporc` files before committing them to public repositories
- Use appropriate file permissions for your `~/.tmpo/` directory
- Regularly backup your time tracking data if it's business-critical
Loading