|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +We currently support the latest stable release of this CLI tool. Users are encouraged to always run the latest version available on Crates.io or GitHub Releases to ensure all security patches are applied. |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| --- | --- | |
| 9 | +| Latest Stable (Crates.io) | ✅ | |
| 10 | +| Older Versions | ❌ | |
| 11 | + |
| 12 | +## Reporting a Vulnerability |
| 13 | + |
| 14 | +If you discover a security vulnerability in this project, **please do not open a public issue** on GitHub. Instead, follow these steps: |
| 15 | + |
| 16 | +1. **Contact us privately** via email at `microdaika1@gmail.com`. |
| 17 | +2. Provide detailed information about the vulnerability, including: |
| 18 | +* A description of the issue (e.g., buffer overflow, panic injection, argument parsing exploit). |
| 19 | +* Steps to reproduce the issue via the command line. |
| 20 | +* Example of malicious input or arguments. |
| 21 | +* Potential impact (e.g., denial of service, privilege escalation). |
| 22 | + |
| 23 | + |
| 24 | + |
| 25 | +We aim to respond within **5 business days** and will work with you to assess and address the issue as quickly as possible. |
| 26 | + |
| 27 | +## Disclosure Policy |
| 28 | + |
| 29 | +Once a fix has been developed and tested, we will: |
| 30 | + |
| 31 | +* Notify the reporter of the resolution. |
| 32 | +* Release a patched version on Crates.io and GitHub. |
| 33 | +* Publish release notes detailing the security update (advising users to run `cargo install --force ...` or update via their package manager). |
| 34 | + |
| 35 | +## Security Best Practices for Users |
| 36 | + |
| 37 | +We strongly recommend that users: |
| 38 | + |
| 39 | +* **Keep the tool updated:** Regularly check for updates via Cargo (`cargo install <crate_name>`) or your distribution's package manager. |
| 40 | +* **Least Privilege:** Avoid running the binary with `sudo` or Administrator privileges unless explicitly required by the command functionality. |
| 41 | +* **Input Validation:** Be cautious when passing untrusted file paths or raw data as arguments to the CLI. |
| 42 | + |
| 43 | +## Dependency Management & Supply Chain |
| 44 | + |
| 45 | +We take supply chain security seriously: |
| 46 | + |
| 47 | +* We use **`Cargo.lock`** to ensure reproducible builds and verify dependency versions. |
| 48 | +* We utilize automated tools (such as `cargo-audit` or GitHub Dependabot) to regularly scan our dependency tree for known vulnerabilities filed in the RustSec Advisory Database. |
| 49 | +4. **Зависимости:** Упомянут `Cargo.lock` (стандарт для бинарных крейтов) и `cargo-audit` / RustSec (стандарт аудита в Rust). |
| 50 | + |
| 51 | +Хотите, я помогу настроить GitHub Action, который будет автоматически запускать `cargo audit` при каждом пулл-реквесте? |
0 commit comments