chore(release): final release commit for 0.1.0
this commit includes a whole lotta fuck yeah, a whole lotta we fuckin got this, and a lot of "please change the future." i hope it works. Signed-off-by: Sienna Meridian Satterwhite <sienna@r3t.io>
This commit is contained in:
143
SECURITY.md
Normal file
143
SECURITY.md
Normal file
@@ -0,0 +1,143 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
As an early-stage project (version 0.x.y), security support is limited to the latest development version.
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| mainline branch | :white_check_mark: |
|
||||
| 0.1.x | :white_check_mark: |
|
||||
| < 0.1.0 | :x: |
|
||||
|
||||
## Security Maturity
|
||||
|
||||
**Marathon is currently in early development (0.1.x) and is NOT recommended for production use or handling sensitive data.**
|
||||
|
||||
Security considerations for the current release:
|
||||
|
||||
- ⚠️ **Network protocol** is not hardened against malicious peers
|
||||
- ⚠️ **Authentication** is not yet implemented
|
||||
- ⚠️ **Encryption** is provided by QUIC but not verified against attacks
|
||||
- ⚠️ **Authorization** is not implemented
|
||||
- ⚠️ **Data validation** is basic and not audited
|
||||
- ⚠️ **Persistence layer** stores data unencrypted locally
|
||||
|
||||
**Use Marathon only in trusted development environments with non-sensitive data.**
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
We take security issues seriously. If you discover a security vulnerability in Marathon, please help us address it responsibly.
|
||||
|
||||
### How to Report
|
||||
|
||||
**Please DO NOT report security vulnerabilities through public GitHub issues.**
|
||||
|
||||
Instead, report vulnerabilities by:
|
||||
|
||||
1. **Email**: Send details to sienna@linux.com
|
||||
2. **Subject line**: Include "SECURITY" and a brief description
|
||||
3. **Include**:
|
||||
- Description of the vulnerability
|
||||
- Steps to reproduce
|
||||
- Potential impact
|
||||
- Suggested fix (if you have one)
|
||||
|
||||
### What to Expect
|
||||
|
||||
After you submit a report:
|
||||
|
||||
1. **Acknowledgment**: We'll confirm receipt within 48 hours
|
||||
2. **Assessment**: We'll evaluate the severity and impact within 5 business days
|
||||
3. **Updates**: We'll keep you informed of our progress
|
||||
4. **Resolution**: We'll work on a fix and coordinate disclosure timing with you
|
||||
5. **Credit**: We'll acknowledge your contribution (unless you prefer to remain anonymous)
|
||||
|
||||
### Disclosure Timeline
|
||||
|
||||
- **Critical vulnerabilities**: Aim to fix within 30 days
|
||||
- **High severity**: Aim to fix within 60 days
|
||||
- **Medium/Low severity**: Addressed in regular development cycle
|
||||
|
||||
We'll coordinate public disclosure timing with you after a fix is available.
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
If you're using Marathon (keeping in mind it's not production-ready):
|
||||
|
||||
### For Development
|
||||
|
||||
- **Use isolated networks** for testing
|
||||
- **Don't use real user data** or sensitive information
|
||||
- **Don't expose to the internet** without additional security layers
|
||||
- **Keep dependencies updated** with `cargo update`
|
||||
- **Review security advisories** for Rust crates you depend on
|
||||
|
||||
### For Deployment (Future)
|
||||
|
||||
Once Marathon reaches production readiness, we plan to implement:
|
||||
|
||||
- End-to-end encryption for all peer communications
|
||||
- Peer authentication and authorization
|
||||
- Encrypted local storage
|
||||
- Rate limiting and DoS protection
|
||||
- Security audit trail
|
||||
- Regular security audits
|
||||
|
||||
### Known Security Gaps
|
||||
|
||||
Current known limitations (to be addressed before 1.0):
|
||||
|
||||
- **No peer authentication** - Any peer can join a session
|
||||
- **No authorization system** - All peers have full permissions
|
||||
- **No encrypted storage** - Local SQLite database is unencrypted
|
||||
- **Limited input validation** - CRDT operations trust peer input
|
||||
- **No audit logging** - Actions are not logged for security review
|
||||
- **Network protocol not hardened** - Vulnerable to malicious peers
|
||||
|
||||
## Security Contact
|
||||
|
||||
For security-related questions or concerns:
|
||||
|
||||
- **Email**: sienna@linux.com
|
||||
- **Response time**: Within 48 hours for initial contact
|
||||
|
||||
## Security Advisories
|
||||
|
||||
Security advisories will be published:
|
||||
|
||||
- In GitHub Security Advisories
|
||||
- In release notes
|
||||
- In this SECURITY.md file
|
||||
|
||||
Currently, there are no published security advisories.
|
||||
|
||||
## Responsible Disclosure
|
||||
|
||||
We believe in responsible disclosure and request that you:
|
||||
|
||||
- Give us reasonable time to address issues before public disclosure
|
||||
- Make a good faith effort to avoid privacy violations and service disruption
|
||||
- Don't exploit vulnerabilities beyond demonstrating the issue
|
||||
- Don't access or modify data that doesn't belong to you
|
||||
|
||||
In return, we commit to:
|
||||
|
||||
- Respond promptly to your report
|
||||
- Keep you informed of our progress
|
||||
- Credit you for your discovery (if desired)
|
||||
- Not pursue legal action for good faith security research
|
||||
|
||||
## Additional Resources
|
||||
|
||||
- [Rust Security Advisory Database](https://rustsec.org/)
|
||||
- [cargo-audit](https://github.com/RustSec/rustsec/tree/main/cargo-audit) - Audit Rust dependencies
|
||||
- [OWASP Top 10](https://owasp.org/www-project-top-ten/) - Common web application security risks
|
||||
|
||||
## Version History
|
||||
|
||||
- **2026-02-06**: Initial security policy for v0.1.0 release
|
||||
|
||||
---
|
||||
|
||||
**Thank you for helping keep Marathon and its users safe!**
|
||||
Reference in New Issue
Block a user