From 6ff28d8a4dddc7bc8325f048ad7f4414249f1fae Mon Sep 17 00:00:00 2001 From: jekkos Date: Fri, 15 May 2026 12:24:39 +0200 Subject: [PATCH] docs: Update SECURITY.md with disclosure process (#4549) * docs: Update SECURITY.md with disclosure process and advisory template - Update published advisories table with CVE-2026-41306 and CVE-2026-41307 - Add disclosure process timeline - Add vulnerability template for researchers - Explain GitHub advisory creation workflow - Document security best practices for researchers This streamlines the vulnerability reporting process by allowing researchers to create draft advisories directly on GitHub, reducing triage overhead. * docs: Update SECURITY.md with CVE process and reporter acknowledgments - Add CVE request procedure through GitHub - Document that existing CVEs should be shared in reports - Clarify no bug bounty program (voluntary triage) - Add security best practices for researchers - Thank security researchers for contributions - Explain vulnerability template format * docs: Simplify SECURITY.md - remove CVE table, link to GitHub advisories --------- Co-authored-by: Ollama --- SECURITY.md | 131 ++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 111 insertions(+), 20 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 771524f48..ab58ee26e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,8 +5,9 @@ - [Supported Versions](#supported-versions) - [Security Advisories](#security-advisories) - [Reporting a Vulnerability](#reporting-a-vulnerability) + - [Disclosure Process](#disclosure-process) - + # Security Policy @@ -21,26 +22,116 @@ We release patches for security vulnerabilities. ## Security Advisories -The following security vulnerabilities have been published: - -### High Severity - -| CVE | Vulnerability | CVSS | Published | Fixed In | Credit | -|-----|--------------|------|-----------|----------|--------| -| [CVE-2025-68434](https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-wjm4-hfwg-5w5r) | CSRF leading to Admin Creation | 8.8 | 2025-12-17 | 3.4.2 | @Nixon-H, @jekkos | -| [CVE-2025-68147](https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xgr7-7pvw-fpmh) | Stored XSS in Return Policy | 8.1 | 2025-12-17 | 3.4.2 | @Nixon-H, @jekkos | -| [CVE-2025-66924](https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-gv8j-f6gq-g59m) | Stored XSS in Item Kits | 7.2 | 2026-03-04 | 3.4.2 | @hungnqdz, @omkaryepre | - -### Medium Severity - -| CVE | Vulnerability | CVSS | Published | Fixed In | Credit | -|-----|--------------|------|-----------|----------|--------| -| [CVE-2025-68658](https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-32r8-8r9r-9chw) | Stored XSS in Company Name | 4.3 | 2026-01-13 | 3.4.2 | @hungnqdz | - -For a complete list including draft advisories, see our [GitHub Security Advisories page](https://github.com/opensourcepos/opensourcepos/security/advisories). +For a complete list of published and draft security advisories with CVE details, see our [GitHub Security Advisories page](https://github.com/opensourcepos/opensourcepos/security/advisories). ## Reporting a Vulnerability -Please report (suspected) security vulnerabilities to **[jeroen@steganos.dev](mailto:jeroen@steganos.dev)**. +**Option 1: GitHub Security Advisory (Preferred)** -You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days. \ No newline at end of file +1. Create a draft security advisory directly on GitHub: + - Go to https://github.com/opensourcepos/opensourcepos/security/advisories + - Click "New draft security advisory" + - Fill in the vulnerability details using our [template below](#vulnerability-template) + - Submit as **draft** (not published) + +2. Notify us for triage: + - Send an email to **[jeroen@steganos.dev](mailto:jeroen@steganos.dev)** with: + - Subject: `[GHSA] Brief description of vulnerability` + - Link to the draft advisory + - Brief summary + +**Option 2: Email Report** + +Send vulnerability details to **[jeroen@steganos.dev](mailto:jeroen@steganos.dev)**. + +You will receive a response within 48 hours. Confirmed vulnerabilities will be patched within a few days depending on complexity. + +## Disclosure Process + +### Timeline + +| Step | Timeline | Action | +|------|----------|--------| +| 1. Report received | Day 0 | We acknowledge within 48 hours | +| 2. Triage & confirmation | Day 1-3 | We validate the vulnerability | +| 3. Fix development | Day 3-7 | We develop and test the fix | +| 4. Patch release | Day 7-10 | We release a security patch | +| 5. CVE request | Day 7-14 | We request CVE from GitHub (if applicable) | +| 6. Advisory published | Day 14 | We publish the advisory with credit | +| 7. Public disclosure | Day 14+ | Full disclosure after patch release | + +### CVE Process + +**We request CVE identifiers through GitHub's security advisory system.** This is the preferred and easiest method: + +1. After we confirm and fix the vulnerability, we'll request a CVE through GitHub +2. GitHub coordinates with MITRE on our behalf +3. The CVE is automatically linked to the advisory +4. You'll be credited as the reporter in the published advisory + +**Already have a CVE?** If you've already obtained a CVE from another source (e.g., VulDB, CVE.MITRE.ORG), please include it in your report or advisory. We'll update our advisory to reference the existing CVE. + +### No Bug Bounty Program + +**Important:** Open Source Point of Sale does not offer a bug bounty program. + +- All security research and vulnerability triage is done on a **voluntary basis** in our free time +- We do not offer monetary rewards for vulnerability reports +- We do credit reporters in published advisories (unless anonymity is requested) +- We greatly appreciate the security research community's efforts to help improve project security + +### Security Best Practices for Researchers + +- **Do not** access, modify, or delete data that doesn't belong to you +- **Do not** perform denial of service attacks +- **Do not** publicly disclose vulnerabilities before we've had time to fix them +- **Do** provide sufficient information to reproduce the vulnerability +- **Do** allow us reasonable time to fix before public disclosure +- **Do** report through official channels (GitHub advisories or email) + +### Vulnerability Template + +When creating a draft advisory, please include: + +``` +## Summary +[Brief description of the vulnerability] + +## Impact +- **Confidentiality:** [High/Medium/Low - what data can be exposed] +- **Integrity:** [High/Medium/Low - what can be modified] +- **Availability:** [High/Medium/Low - service disruption potential] +- **Privilege Required:** [None/Low/High - authentication level needed] +- **CVSS v3.1:** [Score] ([Vector string]) + +## Details +[Technical details about the vulnerability] + +**Affected Code:** +```php +// Path to affected file and vulnerable code +``` + +**Attack Vector:** +[How an attacker can exploit this] + +## Proof of Concept +```bash +# Steps to reproduce +``` + +## Patch +[Suggested fix or approach] + +## Affected Versions +- OpenSourcePOS X.Y.Z and earlier + +## Credit +[Your GitHub username or preferred name] +``` + +--- + +**Thank you to all security researchers who have contributed to making Open Source Point of Sale more secure.** Your voluntary efforts help protect thousands of users worldwide and contribute to a safer, more trustworthy free and open-source software ecosystem. We deeply appreciate your responsible disclosure and the time you invest in improving our project. + +If you've reported a vulnerability and would like to discuss CVE coordination or have questions about the process, please reach out to us at [jeroen@steganos.dev](mailto:jeroen@steganos.dev). \ No newline at end of file