|
|
@@ -0,0 +1,35 @@
|
|
|
+# Security Policy
|
|
|
+
|
|
|
+## Supported Versions
|
|
|
+
|
|
|
+Security support status for currently maintained versions:
|
|
|
+
|
|
|
+| Version | Support Status |
|
|
|
+|---------|-----------------------|
|
|
|
+| 2.x | ✅ Actively Maintained |
|
|
|
+| 1.x | ❌ End of Life |
|
|
|
+
|
|
|
+## Vulnerability Reporting
|
|
|
+
|
|
|
+### Submit Vulnerability
|
|
|
+Please submit reports via [GitHub Security Advisory](https://github.com/0xJacky/nginx-ui/security/advisories/new) with:
|
|
|
+- Affected version(s)
|
|
|
+- Detailed vulnerability description
|
|
|
+- Reproducible PoC (Proof of Concept)
|
|
|
+- Environment configuration details
|
|
|
+
|
|
|
+### Handling Process
|
|
|
+- Valid reports will be tracked through private advisory channels
|
|
|
+- Within 21-31 days after remediation:
|
|
|
+ - Request CVE identifier from numbering authorities
|
|
|
+ - Publish technical details on GitHub Advisory
|
|
|
+ - Update Release Notes with impact assessment
|
|
|
+
|
|
|
+### Requirements
|
|
|
+- **Testing Restrictions**: All security validation must be conducted in locally built isolated environments. Online demo systems are strictly prohibited for testing purposes
|
|
|
+- **Environment Isolation**: Testing environments must be network-segregated from production systems. Test traffic must not leak beyond isolated networks
|
|
|
+- Destructive testing is prohibited without explicit authorization
|
|
|
+- Adhere to Coordinated Disclosure principles
|
|
|
+- Vulnerability details must remain confidential until public disclosure
|
|
|
+
|
|
|
+> Security researchers will be acknowledged in project credits based on contribution significance
|
Jacky