Skip to content

Commit 46ad465

Browse files
andrii-trushandrii-trush
committed
docs: add security policy with vulnerability reporting guidelines
1 parent fd04575 commit 46ad465

1 file changed

Lines changed: 56 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
We actively maintain security updates for the following versions:
6+
7+
| Addon version | Statamic version | Supported |
8+
| --- | --- | --- |
9+
| 6.x | 6.x ||
10+
| 5.x | 5.x ||
11+
| < 5.0 | 4.x and below ||
12+
13+
## Reporting a Vulnerability
14+
15+
If you discover a security issue, please follow responsible disclosure.
16+
17+
**Please do not report security issues in public GitHub issues.**
18+
19+
### Report via GitHub Security Advisory (preferred)
20+
21+
1. Go to the repository **Security** tab.
22+
2. Click **Report a vulnerability**.
23+
3. Include:
24+
- Description of the vulnerability
25+
- Affected versions
26+
- Steps to reproduce (or a minimal proof of concept)
27+
- Potential impact
28+
- Any suggested mitigation (optional)
29+
30+
## Response Timeline
31+
32+
- **Acknowledgement:** within 48 hours
33+
- **Initial assessment:** within 5 business days
34+
- **Fix:** we aim to release a patch as soon as possible (prioritised by severity)
35+
36+
## Scope
37+
38+
This policy covers vulnerabilities in the **statamic-analytics** addon, including:
39+
40+
- Control Panel widgets and data handling
41+
- Configuration and credential management
42+
- Integration points with Statamic
43+
44+
This policy does **not** cover vulnerabilities in upstream dependencies. Please report those to the appropriate maintainers:
45+
46+
- Statamic core: [github.com/statamic/cms/security](https://github.com/statamic/cms/security)
47+
- Laravel framework: [github.com/laravel/framework/security](https://github.com/laravel/framework/security)
48+
- spatie/laravel-analytics: [github.com/spatie/laravel-analytics/security](https://github.com/spatie/laravel-analytics/security)
49+
- Google APIs / Google Analytics: [bughunters.google.com](https://bughunters.google.com/)
50+
51+
## Security Best Practices
52+
53+
- Keep your Google Analytics service account credentials secure
54+
- Never commit credentials to version control
55+
- Use HTTPS in production
56+
- Regularly update Statamic and this addon

0 commit comments

Comments
 (0)