Skip to content

docs: add secirity policy and reporting guidelines #567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
knoxiboy merged 1 commit into from
Jun 3, 2026
Merged

docs: add secirity policy and reporting guidelines #567

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,12 @@ Before opening a new issue:

For feature requests, describe the use case, the expected behavior, and why the change would help DoubtDesk users.

### Security Issues

Please do not report security vulnerabilities through public GitHub issues.

Refer to [SECURITY.md](./SECURITY.md) for responsible disclosure instructions.

### Requesting Assignment

If you want to work on an issue, please leave a comment containing the exact phrase `/assign`.
Expand Down
7 changes: 7 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
- [Mid-Term (v1.2)](#mid-term-v12)
- [Long-Term (v2.0)](#long-term-v20)
- [Code of Conduct](#code-of-conduct)
- [Security](#security)
- [License](#license)
- [Acknowledgments](#acknowledgments)

Expand Down Expand Up @@ -412,6 +413,12 @@ We are committed to providing a welcoming and harassment-free experience for eve

---

## Security

If you discover a security vulnerability, please follow the responsible disclosure process described in [SECURITY.md](SECURITY.md).

---

## License

This project is licensed under the **MIT License**. See the [LICENSE](LICENSE) file for details.
Expand Down
55 changes: 55 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
# Security Policy

Thank you for helping keep DoubtDesk and its users safe.

## Supported Versions

At this time, only the latest version of DoubtDesk is actively supported with security updates.

| Version | Supported |
| -------------- | --------- |
| Latest Release | ✅ |
| Older Versions | ❌ |

## Reporting a Vulnerability

If you discover a security vulnerability, please **do not create a public GitHub issue**.

Instead, report the issue privately to the project maintainers through GitHub or any official communication channel provided by the maintainers.

Comment on lines +18 to +19
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Define an explicit private reporting channel (not a generic “official channel”).

The current wording is ambiguous and can still route reports to public/non-triaged paths. Please name at least one concrete private path (e.g., security email and/or GitHub Security Advisories link) and make it the primary instruction.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 18 - 19, Update the ambiguous sentence "Instead,
report the issue privately to the project maintainers through GitHub or any
official communication channel provided by the maintainers." to name concrete
private reporting channels and make one primary: specify a monitored security
email (e.g., security@<your-domain>.com) and the GitHub Security Advisories URL
(https://github.com/OWNER/REPO/security/advisories) as the preferred paths,
instruct reporters to use those private channels first, and remove/replace the
generic "official communication channel" wording in SECURITY.md.

When reporting a vulnerability, please include:

* A clear description of the issue
* Steps to reproduce the vulnerability
* Potential impact
* Screenshots or proof-of-concept details (if applicable)

## Response Timeline

The maintainers will review security reports as soon as possible and aim to acknowledge reports within 72 hours.

After verification, maintainers will investigate the issue, develop a fix, and coordinate responsible disclosure when appropriate.

## Scope

Examples of security issues include:

* Authentication bypass
* Unauthorized access to classrooms or user accounts
* Privilege escalation
* Sensitive information disclosure
* Database exposure
* Vulnerabilities affecting student or teacher data

The following are generally not considered security issues:

* UI or styling bugs
* Feature requests
* Documentation issues
* Minor usability concerns

## Responsible Disclosure

Please avoid publicly disclosing security vulnerabilities until the maintainers have had a reasonable opportunity to investigate and address the issue.

Thank you for helping improve the security of DoubtDesk.
Loading