From 0217096a1c1647531c9f1c6733638e4b2750f9ef Mon Sep 17 00:00:00 2001 From: Joe Harrison <53116754+sudo-kraken@users.noreply.github.com> Date: Mon, 6 Oct 2025 19:03:22 +0100 Subject: [PATCH] docs: add comprehensive security policy (#1970) * docs: add comprehensive security policy * Update SECURITY.md Co-authored-by: Ludovic Ortega * Update SECURITY.md Co-authored-by: Ludovic Ortega * Update SECURITY.md Co-authored-by: Ludovic Ortega --------- Co-authored-by: Ludovic Ortega --- SECURITY.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..5ea637079 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,51 @@ +# Security Policy + +## Reporting Security Issues + +Maintainers and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. + +To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](../../security/advisories/new) tab. + +**Please do not report security vulnerabilities through public GitHub issues, discussions, or Discord.** + +## What to Include in Your Report + +To help us better understand and resolve the issue, please include as much of the following information as possible: + +- Full paths of source file(s) related to the manifestation of the issue +- The location of the affected source code (tag/branch/commit or direct URL) +- Any special configuration required to reproduce the issue +- Step-by-step instructions to reproduce the issue +- Proof-of-concept or exploit code (if possible) +- Impact of the issue + +## Response Timeline + +We will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +## Disclosure Policy + +- Security issues will be disclosed in a coordinated manner +- We will credit reporters in the security advisory unless anonymity is requested +- We request that you do not publicly disclose the issue until we have released a fix + +## Third-Party Dependencies + +If you discover a security vulnerability in a third-party dependency used by Jellyseerr, please report it directly to the maintainers of that module. You can also notify us through our security advisory process so we can: + +- Track the issue and monitor for updates +- Apply patches or workarounds if available +- Coordinate with upstream maintainers when necessary +- Communicate the impact to our users + +We regularly monitor and update our dependencies to address known security vulnerabilities. + +## Security Updates + +Security updates and advisories will be published on our [GitHub Security Advisories page](../../security/advisories). + +## Community + +For general questions and support (non-security related): +- [GitHub Discussions](../../discussions) +- [Discord](https://discord.gg/ckbvBtDJgC) \ No newline at end of file