Files
deusdata--codebase-memory-mcp/docs/SECURITY-DISCLOSURE.md
T
wehub-resource-sync 41cb1c0170
OpenSSF Scorecard / scorecard (push) Failing after 0s
DCO / dco (push) Failing after 0s
CodeQL SAST / analyze (push) Failing after 1s
Deploy Pages / deploy (push) Failing after 1s
chore: import upstream snapshot with attribution
2026-07-13 12:28:05 +08:00

88 lines
4.3 KiB
Markdown

# Security Disclosure & Handling Process
This document explains **how security reports are handled** for
codebase-memory-mcp — what happens after you report a vulnerability, what you
can expect from us, and how disclosure and credit work.
For **how to report** a vulnerability and **what is in scope**, see
[`SECURITY.md`](../SECURITY.md). This document covers the process *after* a
report arrives.
> **This is a solo, volunteer-maintained project.** Everything below is handled
> on a good-faith, best-effort basis. The timeframes are honest targets we aim
> to beat — not contractual guarantees. If something will take longer, we will
> tell you and keep you updated rather than go silent.
## Principles
We follow **coordinated disclosure**:
1. **Fix privately, disclose publicly.** Details of an unfixed vulnerability are
never discussed in the open. We develop and validate the fix in private, ship
a release, and only then disclose.
2. **Patch before publicity.** A fixed release is always available *before* the
vulnerability is described publicly, so users can update immediately.
3. **Credit the researcher.** Public credit by default; anonymity on request.
4. **A bug fixed once should stay fixed.** Every fix ships with a regression
test or guard so the same class of issue cannot silently return.
## What happens after you report
| Step | What we do | Target (best-effort) |
|------|------------|----------------------|
| 1. **Acknowledge** | Confirm we received your report and are looking at it. | within **7 days** (usually much sooner) |
| 2. **Triage & severity** | Reproduce the issue and assign a severity (CVSS). | within **14 days** |
| 3. **Fix privately** | Develop the fix in a private environment, with a regression guard, and validate it across all supported platforms (Linux, macOS, Windows) under full CI. | severity-dependent |
| 4. **You verify** | We invite you (read-only) to confirm the fix resolves the issue and that the guard prevents regression. Your sign-off is welcomed; an unresponsive reporter will not indefinitely block a release. | — |
| 5. **Release** | Merge the fix and cut a patched release promptly. | as fast as severity warrants |
| 6. **Disclose** | Publish a [GitHub Security Advisory](https://github.com/DeusData/codebase-memory-mcp/security/advisories), request a **CVE** (GitHub is a CNA), and credit you. | after a short upgrade window |
**Overall fix timeline:** we aim to resolve and release a fix within **90 days**
of triage, and much faster for high-severity issues. Critical, actively
exploitable issues are handled with the highest priority.
## Severity
We assess severity using **CVSS** and prioritise accordingly. Roughly:
- **Critical / High** — remote code execution, sandbox/scope escape, supply-chain
compromise. Prioritised; expedited release.
- **Medium** — issues requiring local access, non-default configuration, or
significant user interaction.
- **Low** — defense-in-depth gaps, hardening, information exposure with limited
impact.
## Credit & CVE
- You are **credited by name/handle** in the published advisory unless you ask to
remain anonymous.
- A **CVE identifier** is requested for each distinct vulnerability via the
GitHub Security Advisory (one CVE per vulnerability, not per report — a single
report may yield several).
- The advisory lists the **affected and patched version ranges** so downstream
tooling (e.g. Dependabot) can alert users automatically.
## Safe harbor
We will not pursue or support legal action against researchers who act in
**good faith**, meaning you:
- only access, modify, or store data in **your own test environment**;
- avoid privacy violations, data destruction, and degradation of service for
others;
- give us a **reasonable opportunity to fix** the issue before disclosing it
publicly;
- do not exploit the issue beyond the minimum necessary to demonstrate it.
Good-faith research conducted under this policy is considered authorised, and we
will work with you, not against you.
## What we ask of you
- Report **privately** (see [`SECURITY.md`](../SECURITY.md)) — not as a public
issue, PR, or social-media post.
- Give us **reasonable time** to fix before any public write-up.
- Provide enough detail to **reproduce** (affected version, steps, impact).
Thank you for helping keep a tool used by developers worldwide safe. 🙏