diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..8548d0d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,44 @@ +# Security Policy + +## Supported Versions + +We actively support the following versions of `dj-announcement-api` with security updates: + +| Version | Supported | +|---------| ------------------ | +| 1.0.0 | ✅ Fully supported | + +## Reporting a Vulnerability + +We take security issues seriously. If you find a vulnerability in `dj-announcement-api`, please report it confidentially. Here are the steps to report security vulnerabilities: + +1. **Email**: Please send an email to [aryan513966@gmail.com](mailto:aryan513966@gmail.com) with a detailed description of the vulnerability. +2. **Details**: In your email, include the following details: + - Description of the vulnerability. + - Potential impact and severity. + - Steps to reproduce the issue. + - Any other relevant information, such as proof of concept or screenshots. + +We will: +- Acknowledge your report within 2 business days. +- Work with you to understand and resolve the issue as quickly as possible. +- Provide an estimate of when a patch will be available and credit you (if desired) in the changelog. + +## Handling Vulnerabilities + +When a vulnerability is confirmed: +- We will create a fix and apply it to all actively supported versions of `dj-announcement-api`. +- A new release with the security fix will be published, and the vulnerability will be disclosed in the changelog or via a security advisory. +- We may delay the disclosure of details about the vulnerability until a sufficient number of users have updated to the patched version. + +## General Security Guidelines + +- Keep your `dj-announcement-api` package up to date with the latest versions to ensure you benefit from the latest security fixes. +- Follow our changelog for announcements regarding security fixes. +- Ensure that your logging configuration is secure and does not expose sensitive information in log files. + +## Responsible Disclosure + +We strongly encourage responsible disclosure and will work to fix issues in a timely manner. We appreciate any effort to help make `dj-announcement-api` more secure for all users. + +Thank you for helping us improve the security of `dj-announcement-api`!