36 lines
1.4 KiB
Markdown
36 lines
1.4 KiB
Markdown
|
# Security Policy
|
||
|
|
|
||
|
|
## Supported Versions
|
||
|
|
|
||
|
|
Security support status for currently maintained versions:
|
||
|
|
|
||
|
|
| Version | Support Status |
|
||
|
|
|---------|-----------------------|
|
||
|
|
| 2.x | ✅ Actively Maintained |
|
||
|
|
| 1.x | ❌ End of Life |
|
||
|
|
|
||
|
|
## Vulnerability Reporting
|
||
|
|
|
||
|
|
### Submit Vulnerability
|
||
|
|
Please submit reports via [GitHub Security Advisory](https://github.com/0xJacky/nginx-ui/security/advisories/new) with:
|
||
|
|
- Affected version(s)
|
||
|
|
- Detailed vulnerability description
|
||
|
|
- Reproducible PoC (Proof of Concept)
|
||
|
|
- Environment configuration details
|
||
|
|
|
||
|
|
### Handling Process
|
||
|
|
- Valid reports will be tracked through private advisory channels
|
||
|
|
- Within 21-31 days after remediation:
|
||
|
|
- Request CVE identifier from numbering authorities
|
||
|
|
- Publish technical details on GitHub Advisory
|
||
|
|
- Update Release Notes with impact assessment
|
||
|
|
|
||
|
|
### Requirements
|
||
|
|
- **Testing Restrictions**: All security validation must be conducted in locally built isolated environments. Online demo systems are strictly prohibited for testing purposes
|
||
|
|
- **Environment Isolation**: Testing environments must be network-segregated from production systems. Test traffic must not leak beyond isolated networks
|
||
|
|
- Destructive testing is prohibited without explicit authorization
|
||
|
|
- Adhere to Coordinated Disclosure principles
|
||
|
|
- Vulnerability details must remain confidential until public disclosure
|
||
|
|
|
||
|
|
> Security researchers will be acknowledged in project credits based on contribution significance
|