diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..b2b666a5 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,74 @@ +# Security Policy + +## ๐Ÿ” Supported Versions + +We currently provide security updates for: + +| Version | Supported | +|---------|----------| +| 0.3.x | โœ… Yes | +| < 0.3 | โŒ No | + +Please make sure you're running the latest stable version. + +--- + +## ๐Ÿ›ก๏ธ Reporting a Vulnerability + +The security of our users and their communications is our highest priority. +If you discover a security vulnerability, **please do not open a public GitHub issue**. + +Instead, report it responsibly using one of the methods below: + +### Preferred Method +๐Ÿ“ง Emails: **security@vectorapp.io** **mail@jskitty.cat**
+๐Ÿ”“ GitHub's Private Vulnerability Disclosure: [here](https://github.com/VectorPrivacy/Vector/security/advisories/new) (To confirm) + +### What to Include +Please provide as much information as possible: + +- Description of the vulnerability +- Steps to reproduce +- Proof-of-concept code (if applicable) +- Impact assessment +- Suggested mitigation (if known) +- Affected version(s) + +If the vulnerability involves cryptography, authentication, message integrity, key exchange, or encryption bypass, please clearly mark it as **CRITICAL** in your report. + +--- + +## ๐Ÿ”‘ Scope + +This policy covers vulnerabilities related to: + +- Encryption and key management +- Authentication & authorization +- Message transport security + +Out of scope: + +- Issues in third-party services not maintained in this repository +- Social engineering attacks +- Physical device access (unless encryption guarantees are bypassed) + +--- + +## ๐Ÿงช Cryptography + +If reporting a cryptographic issue, please include: + +- Clear technical explanation +- Practical exploit scenario +- Required attacker capabilities +- Real-world impact + +--- + +## โš–๏ธ Compensation + +At this time, we are unable to offer financial compensation for disclosures, as Vector is a volunteer-based project. This may change in the future as the project grows. We sincerely appreciate your understanding and support. + +## ๐Ÿ™ Thank You + +We appreciate responsible disclosure and the work of security researchers helping keep private communication secure.