From 3f0aa0fb4914c128cf125662dcc399bbce0dad25 Mon Sep 17 00:00:00 2001 From: jremitz Date: Fri, 10 Apr 2026 11:08:50 -0500 Subject: [PATCH] docs: add security policy Documents supported versions, scope, and private vulnerability reporting channel so GitHub surfaces a policy in the Security tab and Community Standards checklist. --- SECURITY.md | 85 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..3100f48 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,85 @@ +# Security Policy + +## Supported Versions + +reeln-cli is pre-1.0 software. Security fixes are published against the +latest release only. We recommend always running the most recent version +from [PyPI](https://pypi.org/project/reeln/) or the +[Releases page](https://github.com/StreamnDad/reeln-cli/releases). + +| Version | Supported | +| ------- | ------------------ | +| 0.0.x (latest) | :white_check_mark: | +| older | :x: | + +## Scope + +reeln-cli is a Python command-line toolkit that runs locally on a +livestreamer's machine. It orchestrates ffmpeg, OBS, and third-party +platform APIs through a plugin system; it does not expose any network +listeners of its own. + +In-scope concerns include, but are not limited to: +- Command injection via CLI arguments, config values, or game metadata + passed to `ffmpeg`, `obs`, or other subprocesses +- Path traversal or unsafe file handling in render queues, output + directories, or config overrides +- Credential leakage — OAuth tokens, API keys, or refresh tokens written + to logs, caches, or error messages in plain text +- Unsafe loading or deserialization of state, render queue, or config + files (JSON / YAML / TOML) +- Arbitrary code execution via the plugin discovery mechanism +- Dependency confusion or typosquatting on the PyPI package name + +Out of scope: +- Vulnerabilities in individual plugins (`reeln-plugin-*`) — report those + to the respective plugin repository +- Vulnerabilities in third-party APIs (YouTube, Meta, TikTok, OpenAI, + Cloudflare) or in tools reeln-cli invokes (`ffmpeg`, `obs`) — report + those to the respective project +- Issues that require an attacker to already have local code execution + on the user's machine or to have supplied a malicious plugin on purpose + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub +issues, discussions, or pull requests.** + +Report vulnerabilities using GitHub's private vulnerability reporting: + +1. Go to the [Security tab](https://github.com/StreamnDad/reeln-cli/security) + of this repository +2. Click **"Report a vulnerability"** +3. Fill in as much detail as you can: affected version, reproduction steps, + impact, and any suggested mitigation + +If you cannot use GitHub's reporting, email **git-security@email.remitz.us** +instead. + +### What to include + +A good report contains: +- The version of reeln-cli and Python you tested against +- Your operating system and architecture (macOS / Windows / Linux, arch) +- Steps to reproduce the issue +- What you expected to happen vs. what actually happened +- The potential impact (credential leakage, code execution, data loss, + denial of service, etc.) +- Any proof-of-concept code, if applicable + +### What to expect + +reeln-cli is maintained by a small team, so all timelines below are +best-effort rather than hard guarantees: + +- **Acknowledgement:** typically within a week of your report +- **Initial assessment:** usually within two to three weeks, including + whether we consider the report in scope and our planned next steps +- **Status updates:** roughly every few weeks until the issue is resolved +- **Fix & disclosure:** coordinated with you. We aim to ship a patch + release reasonably quickly for high-severity issues, with lower-severity + issues addressed in a future release. Credit will be given in the + release notes and CHANGELOG unless you prefer to remain anonymous. + +If a report is declined, we will explain why. You are welcome to disagree +and provide additional context.