Matsubaa/FedDIY
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94c7cadcd743faa479c2984c28c0626403ec2b9d
FedDIY/SECURITY.md
T
Matsubaa 941a9da928 feat: Update ROADMAP with personal data handling and user moderation features 
- Added goals for defining personal data categories and retention obligations.
- Included exit criteria for user-level moderation, personal collections, and self-service data export.
- Expanded Phase 2 goals to include remote actor moderation and shareable block lists.

chore: Update flake.nix to specify main program

- Set the main program for the project in the flake configuration.

feat: Add issue templates for bug reports, feature requests, and questions

- Created structured templates to streamline issue reporting and feature suggestions.

docs: Add pull request template for consistent contributions

- Introduced a PR template to guide contributors on providing necessary information.

docs: Establish a Code of Conduct for community behavior

- Implemented a Code of Conduct to promote a respectful and inclusive environment.

docs: Create Diversity, Equity, and Inclusion (DEI) statement

- Outlined commitment to diversity and inclusion within the FeDIY community.

docs: Define Code Review Guidelines for constructive feedback

- Established guidelines to ensure respectful and effective code reviews.

docs: Implement Security Policy for vulnerability reporting

- Created a security policy detailing how to report vulnerabilities and our commitment to addressing them.
2026-05-23 17:26:28 -05:00

4.2 KiB
Raw Blame History

Security Policy

Reporting Security Vulnerabilities

FeDIY takes security seriously. If you discover a security vulnerability in the project, we appreciate your help in disclosing it responsibly.

Please do not open a public GitHub issue for security vulnerabilities.

Instead, please report security issues by emailing [security@moturpin.com] with:

  • A clear description of the vulnerability
  • Steps to reproduce the issue (if possible)
  • Potential impact on users and systems
  • Any proposed fixes you may have

You can also use GitHub's private vulnerability reporting feature by navigating to the Security tab of the repository and clicking "Report a vulnerability."

What We Commit To

  • Acknowledge receipt of your report within 48 hours
  • Provide an initial assessment of the vulnerability within 5 business days
  • Keep you informed of progress toward a fix
  • Publish security advisories for confirmed vulnerabilities, with credit to the reporter (unless you prefer to remain anonymous)
  • Work toward a coordinated disclosure timeline with you

Security Expectations

While we work to maintain FeDIY's security, please understand:

  • FeDIY is an open source project maintained by volunteers. Response times may vary.
  • We follow responsible disclosure practices and expect the same from reporters.
  • We ask that you allow us a reasonable time (typically 30-90 days) to release a patch before public disclosure.
  • If you'd like to discuss timeline adjustments, please let us know.

Security Best Practices for Users

Running FeDIY

  • Keep dependencies updated. Rust dependencies are managed via Cargo. Regularly run cargo update to get security patches.
  • Use HTTPS. When deploying FeDIY, use HTTPS for all connections to prevent eavesdropping.
  • Secure your database. PostgreSQL (or SQLite) instances should be properly secured with strong authentication and restricted network access.
  • Audit access. Regularly review who has administrative access to your FeDIY instance.
  • Monitor logs. Watch logs for suspicious activity and configure alerting for authentication failures.

ActivityPub Federation

  • FeDIY federates via ActivityPub. Be aware that activities may be shared with other federated instances.
  • Instances should enforce their own content policies and block malicious instances if needed.
  • User data shared via federation should be treated as public and potentially persistent.

Development Security

Contributors should:

  • Review code carefully. Security vulnerabilities can hide in unexpected places. Code review is our first defense.
  • Use secure coding practices. Avoid SQL injection, XSS, CSRF, and other common vulnerabilities. See OWASP Top 10 for reference.
  • Validate all input. Never trust user input. Always validate and sanitize data before processing.
  • Use type safety. Rust's type system prevents many classes of vulnerabilities. Use it effectively.
  • Document security decisions. If you make security-related changes, document the reasoning in commit messages or ADRs.

Supported Versions

Version Status Security Updates
0.1.x Alpha Best effort
Future TBD Will be defined

Note: During the early alpha phase (v0.1), security patches may be released ad-hoc. As the project matures, we will establish a formal versioning and patching policy.

Vulnerability Disclosure

When we discover or are notified of a security vulnerability, we will:

  1. Confirm the vulnerability and assess its severity
  2. Develop and test a fix
  3. Coordinate a release with security patches
  4. Publish a security advisory with details and credit
  5. Acknowledge and thank the reporter

Security Contacts

  • Email: security@moturpin.com
  • GitHub Security Advisory: Use the "Report a vulnerability" tab in the GitHub repository

Additional Resources

Last Updated: May 2026

Reference in New Issue View Git Blame Copy Permalink