Elgato_dark/Neon-Vision-Editor
1
0
Fork 0
mirror of https://github.com/h3pdesign/Neon-Vision-Editor synced 2026-04-21 13:27:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

SECURITY.md aktualisieren

Browse source
This commit is contained in:
h3p 2026-03-27 05:23:34 +01:00 committed by GitHub
parent 4e18773df5
commit 09722dd690
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 124 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

134
SECURITY.md
View file

@ -1,17 +1,131 @@
# Security Policy # Security Policy
## Supported versions Thank you for helping keep Neon Vision Editor and its users secure.
This project is currently in beta. Security fixes may be released in new tags, but there is no long-term support policy yet. Neon Vision Editor is a lightweight, native editor focused on speed, readability, privacy, and minimalism. This document explains which versions currently receive security attention and how to report a potential vulnerability responsibly.
## Reporting a vulnerability ## Supported Versions
If you believe you found a security vulnerability, please **do not** open a public issue. As an actively developed pre-1.0 project, security fixes are generally applied to the latest public release and to the current `main` branch.
Instead, contact the maintainer via GitHub with a private report including: | Version | Supported |
- a description of the issue | --- | --- |
- steps to reproduce | Latest release | ✅ Yes |
- potential impact | Previous release (best effort, if fix is low-risk) | ⚠️ Limited |
- any suggested fixes (if you have them) | Older releases | ❌ No |
| Unreleased local forks / modified builds | ❌ No |
Thank you for helping keep users safe. Notes:
- If a vulnerability affects an older release but the fix is straightforward, it may still be patched at maintainer discretion.
- Users should upgrade to the latest release as soon as practical.
## Reporting a Vulnerability
Please **do not** report security vulnerabilities through public GitHub issues, discussions, pull requests, Reddit, social posts, or App Store reviews.
### Preferred reporting method
Use GitHubs **private vulnerability reporting** for this repository, if available:
- Open the repository on GitHub
- Go to **Security**
- Click **Report a vulnerability**
This is the preferred channel because it keeps details private until the issue is reviewed and, if needed, fixed.
### Fallback reporting method
If private reporting is not available for any reason, contact the maintainer privately by opening a GitHub issue **only** asking for a private contact method, without disclosing technical details publicly.
## What to include
Please include as much of the following as possible:
- A short description of the issue
- Affected version, branch, commit, or build
- Platform details:
- macOS / iOS / iPadOS version
- device model if relevant
- Reproduction steps
- Proof of concept, sample file, or screenshots if safe to share
- Impact assessment:
- code execution
- arbitrary file access
- privilege escalation
- token exposure
- sandbox bypass
- data leakage
- denial of service / crash
- Any known mitigations or workarounds
Please avoid including secrets in reports unless absolutely necessary. If a secret must be shared to reproduce the issue, clearly label it as sensitive.
## Response Targets
Best effort targets:
- Initial acknowledgement: **within 7 days**
- Triage / severity assessment: **within 14 days**
- Status update after triage: **as available, usually within 30 days**
These are targets, not guarantees. As this is an individually maintained project, response times may vary.
## Disclosure Policy
Please follow responsible disclosure:
- Do not publish exploit details before the issue has been reviewed
- Do not publicly disclose proof-of-concept code before a fix or mitigation is available
- Do not access, modify, exfiltrate, or destroy data that does not belong to you
- Do not attempt social engineering, phishing, spam, or attacks against infrastructure outside what is strictly necessary to demonstrate the issue
- Do not perform denial-of-service, destructive testing, or mass automated exploitation
Good-faith researchers acting responsibly and within these limits are appreciated.
## Security Scope Notes
Security-relevant areas in this project may include, among others:
- File access and sandbox handling
- Security-scoped bookmarks
- Coordinated file writes
- API token storage
- AI/completion network requests
- Cross-window state isolation
- Large-file handling paths
- Import/export and document opening flows
Project principles relevant to security and privacy:
- No telemetry
- No sensitive logging
- Network calls only when explicitly user-triggered
- API tokens must remain in Keychain
- HTTPS for external requests
- No weakening of sandbox or file-security behavior
## Out of Scope
The following are generally not considered security vulnerabilities unless they create a concrete security impact:
- Basic crashes without security impact
- UI glitches
- Feature requests
- Performance-only issues
- Problems only affecting unsupported or heavily modified local builds
- Missing best-practice hardening with no demonstrable exploit path
Please report those through normal GitHub issues instead.
## Fix and Release Process
When a report is confirmed:
1. The issue will be validated privately
2. A fix will be prepared in the smallest reasonable change set
3. The fix will be released in the latest supported version
4. Public release notes may mention the security fix after a patch is available
## Thanks
Responsible reports are appreciated and help improve Neon Vision Editor for everyone.