mirror of https://github.com/usememos/memos
chore(docs): update security policy to prevent public vulnerability disclosure
- Direct security reports to email only instead of public GitHub issues - Set clear expectations: no CVEs during beta (v0.x) phase - Add security best practices for self-hosted deployments - Plan formal vulnerability disclosure program for v1.0+ Addresses #5255pull/5263/merge
Steven
3 days ago
parent
a533ba02dc
commit
d69435c97c
@ -1,7 +1,46 @@
|
||||
# Security Policy
|
||||
|
||||
## Reporting a bug
|
||||
## Project Status
|
||||
|
||||
Report security bugs via GitHub [issues](https://github.com/usememos/memos/issues).
|
||||
Memos is currently in beta (v0.x). While we take security seriously, we are not yet ready for formal CVE assignments or coordinated disclosure programs.
|
||||
|
||||
For more information, please contact [usememos@gmail.com](usememos@gmail.com).
|
||||
## Reporting Security Issues
|
||||
|
||||
### For All Security Concerns:
|
||||
Please report via **email only**: usememos@gmail.com
|
||||
|
||||
**DO NOT open public GitHub issues for security vulnerabilities.**
|
||||
|
||||
Include in your report:
|
||||
- Description of the issue
|
||||
- Steps to reproduce
|
||||
- Affected versions
|
||||
- Your assessment of severity
|
||||
|
||||
### What to Expect:
|
||||
- We will acknowledge your report as soon as we can
|
||||
- Fixes will be included in regular releases without special security advisories
|
||||
- No CVEs will be assigned during the beta phase
|
||||
- Credit will be given in release notes if you wish
|
||||
|
||||
### For Non-Security Bugs:
|
||||
Use GitHub issues for functionality bugs, feature requests, and general questions.
|
||||
|
||||
## Philosophy
|
||||
|
||||
As a beta project, we prioritize:
|
||||
1. **Rapid iteration** over lengthy disclosure timelines
|
||||
2. **Quick patches** over formal security processes
|
||||
3. **Transparency** about our beta status
|
||||
|
||||
We plan to implement formal vulnerability disclosure and CVE handling after reaching v1.0 stable.
|
||||
|
||||
## Self-Hosting Security
|
||||
|
||||
Since Memos is self-hosted software:
|
||||
- Keep your instance updated to the latest release
|
||||
- Don't expose your instance directly to the internet without authentication
|
||||
- Use reverse proxies (nginx, Caddy) with rate limiting
|
||||
- Review the deployment documentation for security best practices
|
||||
|
||||
Thank you for helping improve Memos!
|
||||
|
||||
Loading…
Reference in New Issue