morgane/EverShelf
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
Files
7947f47e6d618a7d07e4e9dd3f76aec2ba83da62
EverShelf/SECURITY.md
T
dadaloop82 da4bd635db feat: professional repo cleanup + community infrastructure 
- README: remove Recent Updates section, clean roadmap (pending only),
  replace Screenshots with demo link, add 6 new badges (stars, last
  commit, contributors, discussions, CI), invite GIF contributions
- CHANGELOG: translate all Italian entries to English, add v1.7.13
  (DB fresh-install crash fix)
- database.php: add missing 'undone' column to transactions schema;
  wrap ALTER TABLE calls in try/catch to prevent race-condition errors
  on concurrent first requests
- Wiki: Android-Kiosk v1.5.0 → v1.6.0, Step 5 rewritten (BLE scan,
  no external APK), removed gateway troubleshooting section
- Wiki: Scale-Gateway promoted to deprecated with redirect banner
- Wiki: Home What's New updated to v1.7.12 / v1.7.13
- Wiki: Features.md, kiosk README Italian UI strings translated
- .github: add bug_report.yml, feature_request.yml issue templates,
  config.yml (blank issues off, links to FAQ/Discussions/Security),
  PULL_REQUEST_TEMPLATE.md with checklist
- .github: FUNDING.yml (Ko-fi), dependabot.yml (monthly action updates)
- .github/workflows/security.yml: Trivy docker + fs scan, SARIF upload
- .github/workflows/build-scale-gateway.yml: disabled (deprecated)
- SECURITY.md: responsible disclosure policy, supported versions, scope
- CODE_OF_CONDUCT.md: Contributor Covenant 2.1
- Settings UI: About section with version display, Report Bug button,
  Changelog and GitHub links; reportBugManual() + _loadAboutSection()
- Translations: added 'about' key group (9 keys × 3 languages)
2026-05-16 06:02:18 +00:00

1.6 KiB
Raw Blame History

Security Policy

Supported Versions

Only the latest released version of EverShelf receives security fixes.

Version Supported
Latest (1.7.x)
Older releases

Reporting a Vulnerability

Please do NOT open a public GitHub issue for security vulnerabilities.

Report security issues privately via email:

📧 evershelfproject@gmail.com

Include:

  • A description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your GitHub username (optional — for credit)

I aim to acknowledge reports within 48 hours and release a fix within 7 days for critical issues.

Scope

EverShelf is a self-hosted application. The security model assumes:

  • It runs on a trusted private network (home LAN)
  • Access from the internet requires the user to set up their own authentication layer (e.g. reverse proxy with Authelia, Nginx auth_basic)

Out-of-scope issues:

  • Vulnerabilities that require physical access to the server
  • Issues only affecting users who have not followed the security recommendations in the README
  • Denial-of-service attacks on the demo server

Security Features

  • API keys stored server-side in .env, never sent to the browser
  • get_settings returns only boolean flags (gemini_key_set), never raw key values
  • Optional SETTINGS_TOKEN protects write operations (hash_equals to prevent timing attacks)
  • DEMO_MODE=true blocks all write operations at the router level
  • Parameterized SQL queries (PDO prepared statements) throughout
  • Input validation and length limits on all user-supplied fields
  • .env and data/ directories denied via web server config (see README)
Reference in New Issue View Git Blame Copy Permalink