From 0eddfb33043a92b22716d68198c21af2738dbf8f Mon Sep 17 00:00:00 2001 From: Enno Gelhaus Date: Sun, 19 Apr 2026 21:13:12 +0200 Subject: [PATCH 1/5] feat: security policy changes - Add Response Timelines - Add Security Scope - Modify maintainer list for security maintainers --- SECURITY.md | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 8385dcb1..0a1819b5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,6 +4,17 @@ The Postiz app is committed to ensuring the security and integrity of our users' data. This security policy outlines our procedures for handling security vulnerabilities and our disclosure policy. +## Scope + +We, at Postiz, cover the following scopes for vulnerability disclosures: + +- The core repository for `postiz-app` (github.com/gitroomhq/postiz-app) +- All `gitroomhq` repositories related to Postiz (Containing `postiz` in the name / description / README.md) +- Official Postiz CLI tools and NPM packages +- Plugins maintained within the `gitroomhq` organization. + +Vulnerabilities in third-party dependencies or user-hosted infrastructure are outside of this scope. + ## Reporting Security Vulnerabilities If you discover a security vulnerability in the Postiz app, please report it through the [GitHub Security Advisory system](https://github.com/gitroomhq/postiz-app/security/advisories/new). @@ -18,7 +29,6 @@ When reporting a security vulnerability, please provide as much detail as possib If the report has immidiate urgency, please contact one (or more) of the maintainers via email: - @egelhaus ([E-Mail](mailto:egelhaus@ennogelhaus.de)) -- @nevo-david ([E-Mail](mailto:nevo@postiz.com)) ### AI Reports We do not evaluate or support security reports generated by LLMs (Large-Language Models / AI). Any report that seems to be generated by AI will be instantly closed on sight by one of our maintainers. @@ -27,10 +37,11 @@ However, if the AI report has been closely evaluated by human oversight, and pro ## Supported Versions This project currently only supports the latest release. We recommend that users always use the latest version of the Postiz app to ensure they have the latest security patches. +*CVE IDs will only be assigned to vulnerabilities affecting currently supported versions.* ## Disclosure Guidelines -We follow a private disclosure policy. If you discover a security vulnerability, please report it to us privately via email to one of the maintainers listed above. We will respond promptly to reports of vulnerabilities and work to resolve them as quickly as possible. +We follow a private disclosure policy. If you discover a security vulnerability, please report it to us privately via GitHub Security Advisories, and if immidiate urgency, via email as listed above. We will respond promptly to reports of vulnerabilities and work to resolve them as quickly as possible. We will not publicly disclose security vulnerabilities until a patch or fix is available to prevent malicious actors from exploiting the vulnerability before a fix is released. @@ -42,3 +53,13 @@ We take security vulnerabilities seriously and will respond promptly to reports - Developing a patch or fix for the vulnerability. - Releasing the patch or fix as soon as possible. - Notifying users of the vulnerability and the patch or fix. + +## Response Timelines + +We aim to follow these timelines: + +- **Initial Acknowledgement:** Within 72 hours of initial report. +- **Completed Triage / Verification:** Within 7 days of initial acknowledgement. +- **Critical Issue Remedition:** Within 90 days of completed triage. +- **Non-Critical Issue Remedition:** Within 180 days of completed triage. +- **CVE Publication:** Within 24 hours of remedition release. From 55a542485a6dcaaf457ffd8a74443e0f1b7efeed Mon Sep 17 00:00:00 2001 From: Enno Gelhaus Date: Sun, 19 Apr 2026 22:58:05 +0200 Subject: [PATCH 2/5] feat: security additions --- SECURITY.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 0a1819b5..758ab66b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,12 +6,13 @@ The Postiz app is committed to ensuring the security and integrity of our users' ## Scope -We, at Postiz, cover the following scopes for vulnerability disclosures: +We, at Postiz (gitroomhq), cover the following scopes for vulnerability disclosures: - The core repository for `postiz-app` (github.com/gitroomhq/postiz-app) -- All `gitroomhq` repositories related to Postiz (Containing `postiz` in the name / description / README.md) -- Official Postiz CLI tools and NPM packages -- Plugins maintained within the `gitroomhq` organization. +- All `gitroomhq` repositories that are official components, tooling, or integrations of Postiz +- Docker images of Positz on GHCR. (published under gitroomhq) +- Official Postiz CLI tools and NPM packages (NPM org: @postiz) +- Plugins for Postiz maintained within the `gitroomhq` organization. Vulnerabilities in third-party dependencies or user-hosted infrastructure are outside of this scope. From 8cfb634b6682d7fe800c539cf32f98fa05f36972 Mon Sep 17 00:00:00 2001 From: Enno Gelhaus Date: Sun, 19 Apr 2026 23:00:16 +0200 Subject: [PATCH 3/5] feat: security rewording --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 758ab66b..cc34bb03 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,9 +10,9 @@ We, at Postiz (gitroomhq), cover the following scopes for vulnerability disclosu - The core repository for `postiz-app` (github.com/gitroomhq/postiz-app) - All `gitroomhq` repositories that are official components, tooling, or integrations of Postiz -- Docker images of Positz on GHCR. (published under gitroomhq) +- Official Postiz container images published under `gitroomhq` on GHCR - Official Postiz CLI tools and NPM packages (NPM org: @postiz) -- Plugins for Postiz maintained within the `gitroomhq` organization. +- Plugins for Postiz maintained within the `gitroomhq` organization Vulnerabilities in third-party dependencies or user-hosted infrastructure are outside of this scope. From c61e061145226b8fe96f9311691fa5f8a86aedeb Mon Sep 17 00:00:00 2001 From: Enno Gelhaus Date: Sun, 19 Apr 2026 23:09:01 +0200 Subject: [PATCH 4/5] feat: security refinement --- SECURITY.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index cc34bb03..d270c269 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -16,6 +16,11 @@ We, at Postiz (gitroomhq), cover the following scopes for vulnerability disclosu Vulnerabilities in third-party dependencies or user-hosted infrastructure are outside of this scope. +## Supported Versions + +This project currently only supports the latest release. We recommend that users always use the latest version of the Postiz app to ensure they have the latest security patches. +*CVE IDs will only be assigned to vulnerabilities affecting currently supported versions.* + ## Reporting Security Vulnerabilities If you discover a security vulnerability in the Postiz app, please report it through the [GitHub Security Advisory system](https://github.com/gitroomhq/postiz-app/security/advisories/new). @@ -23,26 +28,23 @@ If you discover a security vulnerability in the Postiz app, please report it thr When reporting a security vulnerability, please provide as much detail as possible, including: - A clear description of the vulnerability -- Proof of Concept +- Proof of concept (PoC), where possible - Steps to reproduce the vulnerability - Any relevant code or configuration files -If the report has immidiate urgency, please contact one (or more) of the maintainers via email: +If the report has immediate urgency, please contact one (or more) of the maintainers via email: - @egelhaus ([E-Mail](mailto:egelhaus@ennogelhaus.de)) ### AI Reports -We do not evaluate or support security reports generated by LLMs (Large-Language Models / AI). Any report that seems to be generated by AI will be instantly closed on sight by one of our maintainers. -However, if the AI report has been closely evaluated by human oversight, and provides a PoC (Proof of Concept) and a reproduction guide, with potential Impact for Postiz, we may evaluate your report like human-generated reports -## Supported Versions +Reports that appear to be LLM-generated without meaningful human analysis — typically lacking a working proof of concept, reproducible steps, or accurate impact assessment — will be closed without detailed response. -This project currently only supports the latest release. We recommend that users always use the latest version of the Postiz app to ensure they have the latest security patches. -*CVE IDs will only be assigned to vulnerabilities affecting currently supported versions.* +Reports that include AI-assisted analysis are welcome provided they have been validated by the reporter and include a proof of concept, reproduction steps, and impact assessment. ## Disclosure Guidelines -We follow a private disclosure policy. If you discover a security vulnerability, please report it to us privately via GitHub Security Advisories, and if immidiate urgency, via email as listed above. We will respond promptly to reports of vulnerabilities and work to resolve them as quickly as possible. +We follow a private disclosure policy. If you discover a security vulnerability, please report it to us privately via GitHub Security Advisories, and if immediate urgency, via email as listed above. We will respond promptly to reports of vulnerabilities and work to resolve them as quickly as possible. We will not publicly disclose security vulnerabilities until a patch or fix is available to prevent malicious actors from exploiting the vulnerability before a fix is released. @@ -59,8 +61,8 @@ We take security vulnerabilities seriously and will respond promptly to reports We aim to follow these timelines: -- **Initial Acknowledgement:** Within 72 hours of initial report. -- **Completed Triage / Verification:** Within 7 days of initial acknowledgement. -- **Critical Issue Remedition:** Within 90 days of completed triage. -- **Non-Critical Issue Remedition:** Within 180 days of completed triage. -- **CVE Publication:** Within 24 hours of remedition release. +- **Initial Acknowledgment:** Within 72 hours of initial report. +- **Completed Triage / Verification:** Within 7 days of initial acknowledgment. +- **Critical Issue Remediation:** Within 90 days of completed triage. +- **Non-Critical Issue Remediation:** Within 180 days of completed triage. +- **CVE Publication:** Within 24 hours of remediation release. \ No newline at end of file From ec4759e9349cb26027da7ce83d22b11154a78db6 Mon Sep 17 00:00:00 2001 From: Enno Gelhaus Date: Mon, 20 Apr 2026 03:11:24 +0200 Subject: [PATCH 5/5] feat: include cloud in security scope --- SECURITY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SECURITY.md b/SECURITY.md index d270c269..6ca97be5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,6 +12,7 @@ We, at Postiz (gitroomhq), cover the following scopes for vulnerability disclosu - All `gitroomhq` repositories that are official components, tooling, or integrations of Postiz - Official Postiz container images published under `gitroomhq` on GHCR - Official Postiz CLI tools and NPM packages (NPM org: @postiz) +- Postiz-Cloud related infrastructure & services. (API, Frontend, Configurations etc.) - Plugins for Postiz maintained within the `gitroomhq` organization Vulnerabilities in third-party dependencies or user-hosted infrastructure are outside of this scope.