|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +This security policy outlines the security support commitments for CodeSnap users. We prioritize the security of our |
| 4 | +users and products and are committed to resolving vulnerabilities promptly. |
| 5 | + |
| 6 | +## Security SLAs by User Type |
| 7 | + |
| 8 | +### **Open Source Users (Apache 2.0 License)** |
| 9 | + |
| 10 | +- **Security SLA**: No formal Security Service Level Agreement (SLA) is provided. |
| 11 | +- **Release Schedule**: Updates, including security fixes, are released approximately every 3 to 6 months. |
| 12 | +- **Version Support**: Security patches are only provided for the latest release version. |
| 13 | + |
| 14 | +### **CodeSnap Pro Users** |
| 15 | + |
| 16 | +- **Security SLA**: Vulnerabilities are addressed based on severity within the following timelines: |
| 17 | + - **Critical**: Resolved within 14 days. |
| 18 | + - **High**: Resolved within 30 days. |
| 19 | + - **Medium**: Resolved within 90 days. |
| 20 | + - **Low**: Resolved within 180 days. |
| 21 | + - **Informational**: Addressed as needed. |
| 22 | +- **Release Schedule**: Updates are released promptly after vulnerabilities are resolved, in line with the SLA. |
| 23 | +- **Version Support**: Security patches are provided for the latest version and, when applicable, supported versions |
| 24 | + outlined in the Pro user agreement. |
| 25 | + |
| 26 | +--- |
| 27 | + |
| 28 | +## Reporting a Vulnerability |
| 29 | + |
| 30 | +We encourage the community to report any potential vulnerabilities to help us keep CodeSnap secure. |
| 31 | + |
| 32 | +### **How to Report** |
| 33 | + |
| 34 | +Submit reports via **[ranitmanik.dev@gmail.com](mailto:ranitmanik.dev@gmail.com)**. For sensitive disclosures, encrypt |
| 35 | +your |
| 36 | +email using [PGP key](https://pgptool.github.io/). |
| 37 | + |
| 38 | +Provide as much detail as possible, including: |
| 39 | + |
| 40 | +- Affected area of the system. |
| 41 | +- Steps to reproduce the vulnerability. |
| 42 | +- Proof-of-concept or exploit code (if available). |
| 43 | +- Severity and potential impact. |
| 44 | + |
| 45 | +--- |
| 46 | + |
| 47 | +### **Guidelines** |
| 48 | + |
| 49 | +When security testing CodeSnap, please avoid: |
| 50 | + |
| 51 | +- Privacy violations or data destruction. |
| 52 | +- Service disruption longer than 5 minutes. |
| 53 | +- Scanning at a rate exceeding 5 queries per second (QPS). |
| 54 | + |
| 55 | +Focus on reporting vulnerabilities that could lead to real-world exploits. |
| 56 | + |
| 57 | +--- |
| 58 | + |
| 59 | +### **Out-of-Scope Vulnerabilities** |
| 60 | + |
| 61 | +- Exploits requiring physical access to devices. |
| 62 | +- Vulnerabilities in unsupported versions of browsers or outdated dependencies. |
| 63 | +- Configuration issues caused by user error. |
| 64 | + |
| 65 | +**Notes**: |
| 66 | + |
| 67 | +- Vulnerabilities caused by the same root issue are treated as one. |
| 68 | +- We may award swag for lower-impact findings. |
| 69 | + |
| 70 | +--- |
| 71 | + |
| 72 | +## Response and Timeline |
| 73 | + |
| 74 | +Our commitment to triaging and resolving security reports: |
| 75 | + |
| 76 | +- **Initial Response**: Within 1-2 business days. |
| 77 | +- **Triage Completion**: Within 3-5 business days. |
| 78 | +- **Resolution Timeline**: Based on the SLA and severity. |
| 79 | + |
| 80 | +We'll maintain clear communication throughout the process. |
| 81 | + |
| 82 | +--- |
| 83 | + |
| 84 | +## Safe Harbor |
| 85 | + |
| 86 | +Activities conducted in line with this policy are authorized and protected. If legal concerns arise, we will make it |
| 87 | +clear that your actions were compliant with our policy. |
| 88 | + |
| 89 | +Thank you for helping us secure CodeSnap and protect our users! |
0 commit comments