From 55137571d27cca3106e48ced2ed307a8fca076e5 Mon Sep 17 00:00:00 2001 From: Anthony Garland Bot 7 Date: Sat, 25 Oct 2025 18:43:33 -0600 Subject: [PATCH] Revise security policy and contact information Updated the security contact email and removed outdated sections. --- SECURITY.md | 91 +---------------------------------------------------- 1 file changed, 1 insertion(+), 90 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9a23e5c..b5c0e8d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,7 +11,7 @@ Please do not report security vulnerabilities through public GitHub issues, disc ### 2. Report privately -Send an email to: **security@yourcompany.com** (replace with actual email) +Send an email to: agarlan@sandia.vo Include the following information: - Description of the vulnerability @@ -32,97 +32,8 @@ Include the following information: - We will work on a fix and coordinate disclosure - We will credit you for the discovery (if desired) -## Security Measures - -### Automated Security Scanning - -This repository uses multiple automated security tools: - -- **Dependency Scanning**: Safety (Python), npm audit (Node.js), Snyk -- **SAST**: Bandit (Python), Semgrep (multi-language), CodeQL -- **Secrets Detection**: TruffleHog, GitLeaks -- **Container Scanning**: Trivy, Docker Scout -- **Regular Scans**: Daily automated security checks - -### Security Best Practices - -#### For Contributors - -1. **Dependencies** - - Regularly update dependencies - - Use `npm audit` and `safety check` before committing - - Pin dependency versions in production - -2. **Code Security** - - Follow secure coding practices - - Validate all user inputs - - Use parameterized queries for database operations - - Implement proper authentication and authorization - -3. **Secrets Management** - - Never commit secrets, API keys, or passwords - - Use environment variables for sensitive data - - Use GitHub Secrets for CI/CD pipelines - -4. **Container Security** - - Use minimal base images - - Run containers as non-root users - - Keep container images updated - -#### For Deployments - -1. **Environment Security** - - Use HTTPS in production - - Implement proper firewall rules - - Regular security updates - - Monitor for suspicious activities - -2. **Data Protection** - - Encrypt sensitive data at rest and in transit - - Implement proper backup and recovery procedures - - Follow data retention policies - -## Security Architecture - -### Authentication & Authorization - -- JWT-based authentication -- Role-based access control (RBAC) -- Secure session management - -### Data Security - -- Input validation and sanitization -- SQL injection prevention -- XSS protection -- CSRF protection - -### Infrastructure Security - -- Container security scanning -- Network security -- Regular security updates -- Monitoring and logging - -## Compliance - -This project follows security best practices aligned with: - -- OWASP Top 10 -- NIST Cybersecurity Framework -- Industry standard security practices - -## Security Contacts - -- Security Team: security@yourcompany.com -- Product Security: product-security@yourcompany.com -- Infrastructure Security: infra-security@yourcompany.com ## Acknowledgments We appreciate the security research community and will acknowledge researchers who report vulnerabilities responsibly. ---- - -**Last Updated**: January 2025 -**Version**: 1.0 \ No newline at end of file