We take the security of our project seriously. If you believe you've found a security vulnerability, please follow these steps to report it:
-
Do Not Disclose Publicly: Please do not disclose the vulnerability publicly until we've had a chance to address it.
-
Contact Information: Send a detailed report to our security team via:
- Discord: Click on "create a ticket" and report the problem.
- Email: [security@kog.tw]
-
Include Details: Please provide:
- A clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any suggestions for mitigation
- Your contact information for follow-up questions
When a vulnerability is reported, we will:
- Acknowledge Receipt: Within 48 hours, we'll acknowledge receipt of your report.
- Investigation: We'll investigate the issue and determine its validity and severity.
- Response Plan: Within 7 days, we'll provide an initial response outlining our next steps.
- Fix Development: For confirmed vulnerabilities, we'll develop a fix as quickly as possible.
- Public Disclosure: Once a fix is available, we'll coordinate with you on the disclosure timeline.
If you're contributing to this project, please follow these security best practices:
- Dependency Management: Always use the latest stable versions of dependencies.
- Input Validation: Validate all user inputs and never trust user-provided data.
- Authentication: Use secure authentication methods and follow identity management best practices.
- Data Protection: Protect sensitive data both in transit and at rest.
- Code Review: All code must undergo security-focused code review before merging.
- Access Control: Use the principle of least privilege for all access controls.
- Secure Configuration: Follow secure configuration guidelines for all components.
- Logging and Monitoring: Implement proper logging and monitoring for security events.
- Regular Updates: Keep all systems and dependencies updated with security patches.
We conduct regular security testing, including:
- Static code analysis
- Dependency vulnerability scanning
- Manual security reviews
We believe in acknowledging security researchers who help improve our security. With permission, we'll acknowledge your contribution in our release notes and security advisories.
This Security Policy may be updated periodically. We'll announce significant changes through our normal communication channels.