This document outlines the security practices and procedures for the PolyPhyHub/PolyPhy GitHub repository. We take security seriously and encourage responsible disclosure of any vulnerabilities or security concerns that may be identified within this project.
If you discover a security vulnerability or have any security concerns regarding the PolyPhyHub/PolyPhy repository, please report it to us as soon as possible. We appreciate the efforts of security researchers and the community in disclosing such issues responsibly.
To report a security issue, please follow these steps:
- Submit a detailed report via email to our security team at oskar[dot]elek[at]gmail[dot]com. Include all relevant information, such as the steps to reproduce the vulnerability, potential impact, and any proof-of-concept or exploit code if applicable.
- Our security team will acknowledge your report within 72 hours, providing an assessment of the issue and an expected timeline for resolution.
- We will work with you to investigate and address the reported vulnerability promptly.
- Once the issue has been resolved, we will publicly acknowledge your contribution, if desired, and credit your responsible disclosure.
Please note that we kindly request you do not publicly disclose the security issue until we have had an opportunity to address it.
This security policy applies solely to the PolyPhyHub/PolyPhy GitHub repository. Other projects, websites, or services not under the PolyPhyHub/PolyPhy namespace are not covered by this policy. Any vulnerabilities discovered in third-party dependencies should be reported to the respective maintainers.
We highly recommend following these security best practices when interacting with the PolyPhyHub/PolyPhy repository:
- Keep your dependencies up to date: Ensure that you are using the latest version of any libraries, frameworks, or packages utilized by the project. Stay informed about security patches or updates released by the respective maintainers.
- Secure your environment: Protect your development environment, servers, and user accounts with strong passwords and appropriate access controls. Regularly monitor and review access logs and usage patterns for suspicious activity.
- Review code changes: Carefully review any changes made to the PolyPhyHub/PolyPhy repository, especially those related to security-sensitive areas such as authentication, authorization, input validation, and data handling. Maintain a robust code review process.
- Use secure coding practices: Adhere to secure coding principles, such as input validation, output encoding, proper error handling, and secure storage of sensitive information. Be aware of common web application vulnerabilities like Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL Injection.
- Implement HTTPS: Use HTTPS for all communications with the PolyPhyHub/PolyPhy repository, including cloning, pulling, and pushing changes. Configure TLS certificates properly to ensure secure and encrypted connections.
- Protect sensitive information: Avoid committing or storing sensitive information such as access tokens, passwords, or API keys in version control systems or publicly accessible repositories. Utilize secure methods for storing and retrieving such information, such as environment variables or secure configuration files.
The PolyPhyHub/PolyPhy repository appreciates your contributions to the security and integrity of our project. By adhering to responsible disclosure and following security best practices, we can collectively enhance the overall security posture of the software development community. Thank you for your efforts in helping us maintain a secure environment.