920e8ec0bd
Some checks failed
Discord Push Notification / notify (push) Has been cancelled
Add branch protection infrastructure: - .github/CODEOWNERS for auto-assign - Issue templates (bug report, feature request) - PR template with checklist - SECURITY.md with disclosure policy - Update CONTRIBUTING.md with branch workflow and ε commit prefix
40 lines
1021 B
Markdown
40 lines
1021 B
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
|---------|-----------|
|
|
| v0.3.x | Yes |
|
|
| < v0.3 | No |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
If you discover a security vulnerability in Espilon, please report it responsibly.
|
|
|
|
**Do NOT open a public issue.**
|
|
|
|
Send an email to: **espilon-security@proton.me**
|
|
|
|
Include:
|
|
- Description of the vulnerability
|
|
- Steps to reproduce
|
|
- Impact assessment
|
|
- Suggested fix (if any)
|
|
|
|
You will receive a response within 72 hours. We will work with you to understand and address the issue before any public disclosure.
|
|
|
|
## Scope
|
|
|
|
This policy covers:
|
|
- ESP32 firmware (`espilon_bot/`)
|
|
- C3PO control server (`tools/C3PO/`)
|
|
- Cryptographic implementation (ChaCha20-Poly1305, HKDF)
|
|
- Network protocols and command dispatch
|
|
|
|
## Responsible Disclosure
|
|
|
|
We ask that you:
|
|
- Allow reasonable time to fix the issue before public disclosure
|
|
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
|
|
- Do not access or modify data belonging to others
|