Skip to content

Revise security policy and contact information #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 26, 2025
Merged

Revise security policy and contact information #13

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 1 addition & 90 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Please do not report security vulnerabilities through public GitHub issues, disc

### 2. Report privately

Send an email to: **security@yourcompany.com** (replace with actual email)
Send an email to: agarlan@sandia.vo

Include the following information:
- Description of the vulnerability
Expand All @@ -32,97 +32,8 @@ Include the following information:
- We will work on a fix and coordinate disclosure
- We will credit you for the discovery (if desired)

## Security Measures

### Automated Security Scanning

This repository uses multiple automated security tools:

- **Dependency Scanning**: Safety (Python), npm audit (Node.js), Snyk
- **SAST**: Bandit (Python), Semgrep (multi-language), CodeQL
- **Secrets Detection**: TruffleHog, GitLeaks
- **Container Scanning**: Trivy, Docker Scout
- **Regular Scans**: Daily automated security checks

### Security Best Practices

#### For Contributors

1. **Dependencies**
- Regularly update dependencies
- Use `npm audit` and `safety check` before committing
- Pin dependency versions in production

2. **Code Security**
- Follow secure coding practices
- Validate all user inputs
- Use parameterized queries for database operations
- Implement proper authentication and authorization

3. **Secrets Management**
- Never commit secrets, API keys, or passwords
- Use environment variables for sensitive data
- Use GitHub Secrets for CI/CD pipelines

4. **Container Security**
- Use minimal base images
- Run containers as non-root users
- Keep container images updated

#### For Deployments

1. **Environment Security**
- Use HTTPS in production
- Implement proper firewall rules
- Regular security updates
- Monitor for suspicious activities

2. **Data Protection**
- Encrypt sensitive data at rest and in transit
- Implement proper backup and recovery procedures
- Follow data retention policies

## Security Architecture

### Authentication & Authorization

- JWT-based authentication
- Role-based access control (RBAC)
- Secure session management

### Data Security

- Input validation and sanitization
- SQL injection prevention
- XSS protection
- CSRF protection

### Infrastructure Security

- Container security scanning
- Network security
- Regular security updates
- Monitoring and logging

## Compliance

This project follows security best practices aligned with:

- OWASP Top 10
- NIST Cybersecurity Framework
- Industry standard security practices

## Security Contacts

- Security Team: security@yourcompany.com
- Product Security: product-security@yourcompany.com
- Infrastructure Security: infra-security@yourcompany.com

## Acknowledgments

We appreciate the security research community and will acknowledge researchers who report vulnerabilities responsibly.

---

**Last Updated**: January 2025
**Version**: 1.0
Loading