|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +zap.cooking is a continuously deployed web application. Security updates are applied to the current production release. Only the latest version is actively supported. |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------------ | ------------------ | |
| 9 | +| Latest (main)| :white_check_mark: | |
| 10 | +| Older builds | :x: | |
| 11 | + |
| 12 | +## Reporting a Vulnerability |
| 13 | + |
| 14 | +We take security seriously at zap.cooking. If you discover a vulnerability, please follow responsible disclosure practices and **do not** open a public GitHub issue. |
| 15 | + |
| 16 | +### How to Report |
| 17 | + |
| 18 | +Report vulnerabilities by sending a Nostr DM to the zap.cooking maintainer or by emailing **security@zap.cooking**. |
| 19 | + |
| 20 | +Please include: |
| 21 | +- A clear description of the vulnerability |
| 22 | +- Steps to reproduce the issue |
| 23 | +- Potential impact and affected components |
| 24 | +- Any suggested mitigations if known |
| 25 | + |
| 26 | +### What to Expect |
| 27 | + |
| 28 | +- **Acknowledgment**: You will receive an acknowledgment within 48 hours of your report. |
| 29 | +- **Updates**: We will provide status updates every 5–7 days while the issue is under investigation. |
| 30 | +- **Resolution timeline**: We aim to patch critical vulnerabilities within 7 days and moderate issues within 30 days. |
| 31 | +- **Disclosure**: We ask that you allow us reasonable time to address the issue before any public disclosure. |
| 32 | + |
| 33 | +### Accepted Vulnerabilities |
| 34 | + |
| 35 | +If your report is accepted, we will: |
| 36 | +- Work with you on a fix and coordinated disclosure timeline |
| 37 | +- Credit you in the release notes or changelog (if you wish) |
| 38 | +- Potentially reward impactful discoveries with a zap ⚡ |
| 39 | + |
| 40 | +### Declined Vulnerabilities |
| 41 | + |
| 42 | +If your report is declined, we will provide a clear explanation of why the issue does not qualify as a security vulnerability (e.g., known limitation, out of scope, intended behavior). |
| 43 | + |
| 44 | +## Scope |
| 45 | + |
| 46 | +The following are in scope for security reports: |
| 47 | + |
| 48 | +- **zap.cooking** web application and PWA |
| 49 | +- **Android and iOS** mobile apps |
| 50 | +- **members.zap.cooking** private relay |
| 51 | +- Lightning Network payment flows and Zap integrations |
| 52 | +- NIP-46 remote signing implementations |
| 53 | +- Authentication and session management |
| 54 | +- User data handling and privacy |
| 55 | + |
| 56 | +Out of scope: |
| 57 | +- Third-party Nostr relays not operated by zap.cooking |
| 58 | +- Social engineering attacks |
| 59 | +- Denial of service via Nostr spam (this is a protocol-level concern) |
| 60 | +- Issues in underlying libraries without a demonstrated exploit path |
| 61 | + |
| 62 | +## Security Considerations for Nostr & Lightning |
| 63 | + |
| 64 | +zap.cooking is built on decentralized protocols. Users should be aware that: |
| 65 | + |
| 66 | +- **Private keys are your responsibility.** zap.cooking does not store or have access to your Nostr private key when using a signer extension or NIP-46. |
| 67 | +- **Lightning payments are irreversible.** Always verify zap amounts before confirming. |
| 68 | +- **Nostr is a public protocol.** Content published to public relays is permanently public. |
| 69 | + |
| 70 | +We recommend users always interact with zap.cooking using a hardware signer or trusted NIP-46 remote signer rather than entering private keys directly. |
0 commit comments