Skip to content

Commit f3bc41d

Browse files
morningstarxcdcodemorningstarxcdcode
authored
Create SECURITY.md
1 parent 09150b3 commit f3bc41d

File tree

1 file changed

+73
-0
lines changed

1 file changed

+73
-0
lines changed

SECURITY.md

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
| Version | Supported |
6+
| --------------- | ----------------- |
7+
| 2025.x.x (main) | :white_check_mark:|
8+
| Earlier | :x: |
9+
10+
## Reporting a Vulnerability
11+
12+
If you discover a security vulnerability, **do not create a public issue**. Instead:
13+
14+
1. **Email:** security@mstarrobotics.com
15+
2. **PGP:** [Download our public key](https://mstarrobotics.com/security/pgp-key.asc) to encrypt sensitive information.
16+
3. Provide:
17+
- Versions affected
18+
- Step-by-step reproduction instructions
19+
- Potential impact
20+
- Your contact information
21+
22+
We will respond within **72 hours**. If you do not receive a response, please resend your email or contact a project maintainer via [GitHub Discussions](https://github.com/MStarRobotics/RSS2025/discussions).
23+
24+
## Security Best Practices
25+
26+
- **Update Regularly:** Keep all dependencies, ROS 2 packages, and OS components up to date.
27+
- **Access Control:** Use strong, unique passwords and enable 2FA for all accounts and APIs.
28+
- **Network Security:** Restrict access using firewalls, VPNs, and secure communication protocols (TLS 1.3+).
29+
- **Data Protection:** Encrypt sensitive data at rest and in transit.
30+
- **Secrets Management:** Never commit secrets, credentials, or sensitive keys to the repository. Use secrets managers and environment variables.
31+
- **Least Privilege:** Grant only the minimum permissions necessary to users, services, and robots.
32+
33+
## Automated Code Scanning and CI/CD
34+
35+
- All code changes are automatically scanned for vulnerabilities using [GitHub Advanced Security](https://docs.github.com/en/code-security).
36+
- Use [Dependabot](https://github.com/dependabot) for automatic dependency updates.
37+
- All pull requests must pass security and static analysis checks before merging.
38+
39+
## Supply Chain Security
40+
41+
- Only trusted, verified sources for dependencies are permitted.
42+
- All third-party code must be reviewed and logged in [THIRD_PARTY.md](./THIRD_PARTY.md).
43+
- Signed commits and [SLSA Level 3](https://slsa.dev/spec/v0.1/requirements) compliance are strongly recommended.
44+
45+
## Vulnerability Management
46+
47+
- Critical vulnerabilities will trigger an immediate embargo, patch, and responsible disclosure process.
48+
- Patches are prioritized based on CVSS severity and exploitability.
49+
- Users will be notified via [GitHub Security Advisories](https://github.com/MStarRobotics/RSS2025/security/advisories).
50+
51+
## Responsible Disclosure Timeline
52+
53+
| Action | Timeline |
54+
|-------------------------------|---------------------|
55+
| Acknowledgement of report | Within 72 hours |
56+
| Initial assessment | Within 7 days |
57+
| Patch release (if required) | As soon as possible |
58+
| Public disclosure | After patch release |
59+
60+
## Compliance and Certifications
61+
62+
- Follows [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) and [NIST CSF](https://www.nist.gov/cyberframework).
63+
- GDPR, CCPA, and other privacy regulations are supported where applicable.
64+
- All contributors are required to follow project [Code of Conduct](./CODE_OF_CONDUCT.md).
65+
66+
## Security Resources
67+
68+
- [ROS 2 Security Best Practices](https://docs.ros.org/en/rolling/Guide/Security.html)
69+
- [GitHub Security Documentation](https://docs.github.com/en/code-security)
70+
71+
---
72+
73+
For urgent matters, please use the contact methods above. Thank you for helping keep RSS2025 and its users safe!

0 commit comments

Comments
 (0)