|
| 1 | +## Security Policy |
| 2 | + |
| 3 | +This document describes how to report security issues for Melodee. |
| 4 | + |
| 5 | +### Supported versions |
| 6 | + |
| 7 | +Melodee is primarily distributed from source and via containers. |
| 8 | + |
| 9 | +- **Supported**: the current default branch (`main`) and the latest tagged release (if tags exist). |
| 10 | +- **Unsupported**: older commits/tags and unofficial third-party builds. |
| 11 | + |
| 12 | +If you are unsure whether your version is supported, still report the issue; we will advise on next steps. |
| 13 | + |
| 14 | +### Reporting a vulnerability |
| 15 | + |
| 16 | +Please **do not** open a public GitHub Issue for security vulnerabilities. |
| 17 | + |
| 18 | +Preferred reporting channel: |
| 19 | + |
| 20 | +1. Go to the repository **Security** tab. |
| 21 | +2. Click **Report a vulnerability** (GitHub Security Advisories). |
| 22 | +3. Provide the details requested below. |
| 23 | + |
| 24 | +If the Security tab is not available in your fork, report the issue in the upstream repository. |
| 25 | + |
| 26 | +### What to include |
| 27 | + |
| 28 | +To help us triage quickly, please include: |
| 29 | + |
| 30 | +- A clear description of the vulnerability and its impact. |
| 31 | +- Affected component(s) and version/commit SHA. |
| 32 | +- Steps to reproduce (proof-of-concept is helpful). |
| 33 | +- Any known mitigations or configuration constraints. |
| 34 | +- Whether you can reliably reproduce the issue. |
| 35 | + |
| 36 | +If your report includes sensitive data, please redact it. |
| 37 | + |
| 38 | +### What to expect |
| 39 | + |
| 40 | +We aim to follow common coordinated disclosure practices: |
| 41 | + |
| 42 | +- **Acknowledgement**: within 72 hours. |
| 43 | +- **Triage**: we will assess severity, impact, and affected versions. |
| 44 | +- **Fix development**: timelines vary by severity and complexity. |
| 45 | +- **Disclosure**: we will coordinate with you on a reasonable disclosure date once a fix is available. |
| 46 | + |
| 47 | +### Security advisories and updates |
| 48 | + |
| 49 | +When a vulnerability is confirmed, we will generally: |
| 50 | + |
| 51 | +- Publish a GitHub Security Advisory (CVE if appropriate). |
| 52 | +- Document upgrade/mitigation guidance. |
| 53 | +- Provide a patched tag/container image where possible. |
| 54 | + |
| 55 | +### Scope |
| 56 | + |
| 57 | +This policy covers security issues in: |
| 58 | + |
| 59 | +- The Melodee server and its APIs. |
| 60 | +- Official container images (if/when published). |
| 61 | +- Repository-managed configuration and deployment artifacts. |
| 62 | + |
| 63 | +Third-party dependencies (NuGet packages, base container images, etc.) should still be reported if they are exploitable through Melodee. |
| 64 | + |
| 65 | +### Safe harbor |
| 66 | + |
| 67 | +We support good-faith security research intended to improve the security of Melodee and its users. |
| 68 | + |
| 69 | +- Do not access or modify data that does not belong to you. |
| 70 | +- Do not perform testing that degrades availability for other users. |
| 71 | +- Do not use social engineering, phishing, or physical attacks. |
| 72 | + |
| 73 | +### Credits |
| 74 | + |
| 75 | +If you would like to be credited for a report/fix, let us know in the advisory. |
0 commit comments