Skip to content

Create SECURITY.md #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
DavidsonGomes merged 1 commit into from
May 31, 2025
Merged

Create SECURITY.md #35

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 75 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# Security Policy

## Supported Versions

We aim to support the latest stable release of Evo AI and apply security updates as soon as possible. Please use the most recent version for the best security.

---
Comment on lines +5 to +7
Copy link

@sourcery-ai sourcery-ai bot May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Consider adding guidance on how users can find the latest version or updates.

You might reference GitHub Releases or a security announcements channel to direct users to update information.

Suggested change
We aim to support the latest stable release of Evo AI and apply security updates as soon as possible. Please use the most recent version for the best security.
---
We aim to support the latest stable release of Evo AI and apply security updates as soon as possible. Please use the most recent version for the best security.
To find the latest version and release notes, visit our [GitHub Releases page](https://github.com/your-org/evo-ai/releases). For important security announcements, please watch the repository or subscribe to our security advisories.
---


## Reporting a Vulnerability

If you discover a security vulnerability in Evo AI, **please report it privately** and responsibly. Do **not** open a public issue.

**To report a vulnerability:**

- Email: [[email protected]](mailto:[email protected])
- Include as much detail as possible, including:
- Steps to reproduce the issue
- Potential impact
- Your suggestions (if any) for remediation
Comment on lines +16 to +19
Copy link

@sourcery-ai sourcery-ai bot May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Consider adding 'Affected version(s)' to the list of details for vulnerability reports.

Requesting affected version(s) helps with triage and reproduction of security issues, leading to higher quality reports.

Suggested change
- Include as much detail as possible, including:
- Steps to reproduce the issue
- Potential impact
- Your suggestions (if any) for remediation
- Include as much detail as possible, including:
- Affected version(s)
- Steps to reproduce the issue
- Potential impact
- Your suggestions (if any) for remediation


You will receive a response as soon as possible. We may request additional information to fully understand and address the issue.

---

## Security Best Practices

- **Keep your installation up to date.**
Always use the latest stable version and regularly check for updates.

- **Environment Variables:**
Store all secrets, credentials, and keys in environment variables or secrets managers.
Never commit sensitive information to the repository.

- **Authentication:**
Evo AI uses JWT authentication with expiration, email verification, and account lockout for brute-force protection.

- **Passwords:**
All passwords are securely hashed with bcrypt and random salt.

- **Access Control:**
Access to sensitive endpoints is protected via role-based checks and resource ownership verification.

- **Audit Logs:**
Important administrative actions are logged for traceability.

- **Input Validation:**
All inputs are validated using Pydantic schemas to prevent injection attacks.

---

## Responsible Disclosure

Comment on lines +51 to +52
Copy link

@sourcery-ai sourcery-ai bot May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Consider defining or giving an example of 'reasonable time' for disclosure.

Specifying a typical timeframe (e.g., 'usually 90 days, adjustable based on circumstances') would clarify expectations for reporters.

Suggested change
## Responsible Disclosure
## Responsible Disclosure
Please give us a reasonable time to investigate and address any reported security issues before any public disclosure. A reasonable time is typically **90 days** from the initial report, but may be adjusted based on the complexity or severity of the issue. We will keep you informed of our progress and coordinate disclosure timelines as needed.

Please give us a reasonable time to investigate and address any reported security issues before any public disclosure.

---

## Project Security Features

- JWT tokens with limited lifetime
- Secure password hashing (bcrypt)
- Email verification with one-time tokens
- Account lockout after multiple failed login attempts
- Resource-based access control
- Strict input validation for all APIs
- Separation between regular and administrative users

---

## License

All security contributions are made under the [Apache License 2.0](./LICENSE).

---

Thank you for helping keep Evo AI and its users safe!