We take the security of DevDisplay seriously. If you discover any security vulnerabilities, please report them to us responsibly by following these steps:
- DO NOT create a public GitHub issue for security vulnerabilities
- Send an email to [[email protected]] with details about the vulnerability
- Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (if available)
- We will acknowledge receipt of your vulnerability report within 48 hours
- We aim to provide a detailed response within 5 business days
- We will keep you informed about the progress of fixing the vulnerability
-
Code Review
- All code changes must go through peer review
- Security-sensitive code requires additional review
- Follow secure coding guidelines
-
Dependencies
- Keep all dependencies up to date
- Regularly check for known vulnerabilities in dependencies
- Use only trusted and well-maintained packages
-
Authentication & Authorization
- Use strong password policies
- Implement proper session management
- Follow the principle of least privilege
-
Data Protection
- Encrypt sensitive data in transit and at rest
- Never commit sensitive data (tokens, passwords, keys) to the repository
- Use environment variables for sensitive configuration
-
Account Security
- Use strong, unique passwords
- Enable two-factor authentication when available
- Keep your access tokens secure
-
Reporting Issues
- Report any suspicious activity immediately
- Do not share sensitive information publicly
- Follow responsible disclosure practices
- Security patches will be released as soon as possible
- Critical updates will be clearly marked
- Users will be notified of security-related updates through our communication channels
This security policy applies to:
- The main DevDisplay repository
- Official plugins and extensions
- Official documentation
- Related deployment configurations
The following are considered out of scope:
- Third-party plugins not maintained by DevDisplay
- User-modified configurations
- Issues already reported
- Theoretical vulnerabilities without proof of concept
For security-related inquiries:
- Email: [[email protected]]
- PGP Key: [Link to PGP key]
Thank you for helping keep DevDisplay and its users safe!
Last updated: [02-11-24] Version: 1.0