# ๐Ÿ” Security Policy ## ๐Ÿ“ฆ Project: [checkcle](https://github.com/operacle/checkcle) **checkcle** is a self-hosted uptime and server monitoring tool built with TypeScript and Go. We care about the security and privacy of users running this project in production environments. --- ## ๐Ÿ“ฃ Reporting a Vulnerability If you believe you have found a security vulnerability in this project: - **DO NOT** open a public issue to report it. - Please report it responsibly via one of the following methods: ### ๐Ÿ” Preferred: [Report a Vulnerability via GitHub](https://github.com/operacle/checkcle/security/advisories/new) - Use the GitHub security advisory form (private and secure). - Attach as much detail as possible: - Description of the issue - Affected version or commit hash - Reproduction steps - Impact and any potential mitigations - Logs or screenshots (if available) ### ๐Ÿ“ง Alternatively: Contact the Maintainer - Email: `security@checkcle.io` - Optionally include a PGP public key for encrypted messages We aim to respond within **3โ€“5 business days**. --- ## โœ… Supported Versions We support the latest stable release of `checkcle`. Security patches may also be applied to recent versions at our discretion. | Version | Supported | |---------|-----------| | `develop` (latest) | โœ… Yes | | `main` (latest) | โœ… Yes | | Older versions | โš ๏ธ Best-effort | | Pre-release or forks | โŒ No | --- ## ๐Ÿ” Security Practices CheckCle follows these practices to improve overall security: - ๐Ÿ”Ž Regular vulnerability scanning (npm audit for JavaScript dependencies, govulncheck for Go modules) - โ›“๏ธ Dependency pinning (package-lock.json and Go modules) - โœ… Type-safe code in TypeScript and memory-safe design in Go - ๐Ÿงช Continuous testing and CI pipelines - ๐Ÿ” No data is stored or transmitted unless explicitly configured by the user - ๐Ÿง‘โ€๐Ÿ’ป All code contributions are reviewed before merging --- ## โš ๏ธ Known Security Limitations - Outbound HTTPS requests: CheckCle agents perform outbound HTTPS connections to send metric data to the backend server. Avoid deploying in untrusted or high-risk environments without appropriate network policies and monitoring. - The data may be lost upon system restarts or crashes. Always ensure that backup (pb_data) and recovery mechanisms are in place in production environments. --- ## ๐Ÿ“„ License This project is released under the [MIT License](./LICENSE). Use at your own risk. The Creator and contributors are not liable for misuse, data loss, or operational impact resulting from use of the software. --- ## ๐Ÿ™Œ Acknowledgements We appreciate responsible disclosures from the community. Your efforts help us make the open-source ecosystem safer for everyone. Thanks & Regards, โ€” [Tola Leng](https://github.com/tolaleng)