Vadym/postiz-app
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

feat: security refinement

Browse source
This commit is contained in:
Enno Gelhaus 2026-04-19 23:09:01 +02:00 committed by GitHub
parent 8cfb634b66
commit c61e061145
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 15 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
SECURITY.md
View file

@ -16,6 +16,11 @@ We, at Postiz (gitroomhq), cover the following scopes for vulnerability disclosu
Vulnerabilities in third-party dependencies or user-hosted infrastructure are outside of this scope.
## Supported Versions
This project currently only supports the latest release. We recommend that users always use the latest version of the Postiz app to ensure they have the latest security patches.
*CVE IDs will only be assigned to vulnerabilities affecting currently supported versions.*
## Reporting Security Vulnerabilities
If you discover a security vulnerability in the Postiz app, please report it through the [GitHub Security Advisory system](https://github.com/gitroomhq/postiz-app/security/advisories/new).
@ -23,26 +28,23 @@ If you discover a security vulnerability in the Postiz app, please report it thr
When reporting a security vulnerability, please provide as much detail as possible, including:
- A clear description of the vulnerability
- Proof of Concept
- Proof of concept (PoC), where possible
- Steps to reproduce the vulnerability
- Any relevant code or configuration files
If the report has immidiate urgency, please contact one (or more) of the maintainers via email:
If the report has immediate urgency, please contact one (or more) of the maintainers via email:
- @egelhaus ([E-Mail](mailto:egelhaus@ennogelhaus.de))
### AI Reports
We do not evaluate or support security reports generated by LLMs (Large-Language Models / AI). Any report that seems to be generated by AI will be instantly closed on sight by one of our maintainers.
However, if the AI report has been closely evaluated by human oversight, and provides a PoC (Proof of Concept) and a reproduction guide, with potential Impact for Postiz, we may evaluate your report like human-generated reports
## Supported Versions
Reports that appear to be LLM-generated without meaningful human analysis — typically lacking a working proof of concept, reproducible steps, or accurate impact assessment — will be closed without detailed response.
This project currently only supports the latest release. We recommend that users always use the latest version of the Postiz app to ensure they have the latest security patches.
*CVE IDs will only be assigned to vulnerabilities affecting currently supported versions.*
Reports that include AI-assisted analysis are welcome provided they have been validated by the reporter and include a proof of concept, reproduction steps, and impact assessment.
## Disclosure Guidelines
We follow a private disclosure policy. If you discover a security vulnerability, please report it to us privately via GitHub Security Advisories, and if immidiate urgency, via email as listed above. We will respond promptly to reports of vulnerabilities and work to resolve them as quickly as possible.
We follow a private disclosure policy. If you discover a security vulnerability, please report it to us privately via GitHub Security Advisories, and if immediate urgency, via email as listed above. We will respond promptly to reports of vulnerabilities and work to resolve them as quickly as possible.
We will not publicly disclose security vulnerabilities until a patch or fix is available to prevent malicious actors from exploiting the vulnerability before a fix is released.
@ -59,8 +61,8 @@ We take security vulnerabilities seriously and will respond promptly to reports
We aim to follow these timelines:
- **Initial Acknowledgement:** Within 72 hours of initial report.
- **Completed Triage / Verification:** Within 7 days of initial acknowledgement.
- **Critical Issue Remedition:** Within 90 days of completed triage.
- **Non-Critical Issue Remedition:** Within 180 days of completed triage.
- **CVE Publication:** Within 24 hours of remedition release.
- **Initial Acknowledgment:** Within 72 hours of initial report.
- **Completed Triage / Verification:** Within 7 days of initial acknowledgment.
- **Critical Issue Remediation:** Within 90 days of completed triage.
- **Non-Critical Issue Remediation:** Within 180 days of completed triage.
- **CVE Publication:** Within 24 hours of remediation release.