mirror of https://github.com/usememos/memos
chore(docs): update security policy to prevent public vulnerability disclosure
- Direct security reports to email only instead of public GitHub issues - Set clear expectations: no CVEs during beta (v0.x) phase - Add security best practices for self-hosted deployments - Plan formal vulnerability disclosure program for v1.0+ Addresses #5255pull/5263/merge
Steven
3 days ago
parent
a533ba02dc
commit
d69435c97c
@ -1,7 +1,46 @@
|
|||||||
# Security Policy
|
# Security Policy
|
||||||
|
|
||||||
## Reporting a bug
|
## Project Status
|
||||||
|
|
||||||
Report security bugs via GitHub [issues](https://github.com/usememos/memos/issues).
|
Memos is currently in beta (v0.x). While we take security seriously, we are not yet ready for formal CVE assignments or coordinated disclosure programs.
|
||||||
|
|
||||||
For more information, please contact [usememos@gmail.com](usememos@gmail.com).
|
## Reporting Security Issues
|
||||||
|
|
||||||
|
### For All Security Concerns:
|
||||||
|
Please report via **email only**: usememos@gmail.com
|
||||||
|
|
||||||
|
**DO NOT open public GitHub issues for security vulnerabilities.**
|
||||||
|
|
||||||
|
Include in your report:
|
||||||
|
- Description of the issue
|
||||||
|
- Steps to reproduce
|
||||||
|
- Affected versions
|
||||||
|
- Your assessment of severity
|
||||||
|
|
||||||
|
### What to Expect:
|
||||||
|
- We will acknowledge your report as soon as we can
|
||||||
|
- Fixes will be included in regular releases without special security advisories
|
||||||
|
- No CVEs will be assigned during the beta phase
|
||||||
|
- Credit will be given in release notes if you wish
|
||||||
|
|
||||||
|
### For Non-Security Bugs:
|
||||||
|
Use GitHub issues for functionality bugs, feature requests, and general questions.
|
||||||
|
|
||||||
|
## Philosophy
|
||||||
|
|
||||||
|
As a beta project, we prioritize:
|
||||||
|
1. **Rapid iteration** over lengthy disclosure timelines
|
||||||
|
2. **Quick patches** over formal security processes
|
||||||
|
3. **Transparency** about our beta status
|
||||||
|
|
||||||
|
We plan to implement formal vulnerability disclosure and CVE handling after reaching v1.0 stable.
|
||||||
|
|
||||||
|
## Self-Hosting Security
|
||||||
|
|
||||||
|
Since Memos is self-hosted software:
|
||||||
|
- Keep your instance updated to the latest release
|
||||||
|
- Don't expose your instance directly to the internet without authentication
|
||||||
|
- Use reverse proxies (nginx, Caddy) with rate limiting
|
||||||
|
- Review the deployment documentation for security best practices
|
||||||
|
|
||||||
|
Thank you for helping improve Memos!
|
||||||
|
|||||||
Loading…
Reference in New Issue