dadaloop82
da4bd635db
- README: remove Recent Updates section, clean roadmap (pending only), replace Screenshots with demo link, add 6 new badges (stars, last commit, contributors, discussions, CI), invite GIF contributions - CHANGELOG: translate all Italian entries to English, add v1.7.13 (DB fresh-install crash fix) - database.php: add missing 'undone' column to transactions schema; wrap ALTER TABLE calls in try/catch to prevent race-condition errors on concurrent first requests - Wiki: Android-Kiosk v1.5.0 → v1.6.0, Step 5 rewritten (BLE scan, no external APK), removed gateway troubleshooting section - Wiki: Scale-Gateway promoted to deprecated with redirect banner - Wiki: Home What's New updated to v1.7.12 / v1.7.13 - Wiki: Features.md, kiosk README Italian UI strings translated - .github: add bug_report.yml, feature_request.yml issue templates, config.yml (blank issues off, links to FAQ/Discussions/Security), PULL_REQUEST_TEMPLATE.md with checklist - .github: FUNDING.yml (Ko-fi), dependabot.yml (monthly action updates) - .github/workflows/security.yml: Trivy docker + fs scan, SARIF upload - .github/workflows/build-scale-gateway.yml: disabled (deprecated) - SECURITY.md: responsible disclosure policy, supported versions, scope - CODE_OF_CONDUCT.md: Contributor Covenant 2.1 - Settings UI: About section with version display, Report Bug button, Changelog and GitHub links; reportBugManual() + _loadAboutSection() - Translations: added 'about' key group (9 keys × 3 languages)
49 lines
1.6 KiB
Markdown
49 lines
1.6 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
Only the latest released version of EverShelf receives security fixes.
|
|
|
|
| Version | Supported |
|
|
|---------|-----------|
|
|
| Latest (1.7.x) | ✅ |
|
|
| Older releases | ❌ |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Please do NOT open a public GitHub issue for security vulnerabilities.**
|
|
|
|
Report security issues privately via email:
|
|
|
|
**📧 evershelfproject@gmail.com**
|
|
|
|
Include:
|
|
- A description of the vulnerability
|
|
- Steps to reproduce
|
|
- Potential impact
|
|
- Your GitHub username (optional — for credit)
|
|
|
|
I aim to acknowledge reports within **48 hours** and release a fix within **7 days** for critical issues.
|
|
|
|
## Scope
|
|
|
|
EverShelf is a **self-hosted** application. The security model assumes:
|
|
|
|
- It runs on a trusted private network (home LAN)
|
|
- Access from the internet requires the user to set up their own authentication layer (e.g. reverse proxy with Authelia, Nginx `auth_basic`)
|
|
|
|
Out-of-scope issues:
|
|
- Vulnerabilities that require physical access to the server
|
|
- Issues only affecting users who have not followed the security recommendations in the README
|
|
- Denial-of-service attacks on the demo server
|
|
|
|
## Security Features
|
|
|
|
- API keys stored server-side in `.env`, never sent to the browser
|
|
- `get_settings` returns only boolean flags (`gemini_key_set`), never raw key values
|
|
- Optional `SETTINGS_TOKEN` protects write operations (`hash_equals` to prevent timing attacks)
|
|
- `DEMO_MODE=true` blocks all write operations at the router level
|
|
- Parameterized SQL queries (PDO prepared statements) throughout
|
|
- Input validation and length limits on all user-supplied fields
|
|
- `.env` and `data/` directories denied via web server config (see README)
|