This document provides guidelines and procedures for maintaining the security and integrity of the repository.
This policy applies to all contributors, maintainers, and users of the repository.
- Access to the repository is restricted to authorized personnel only. All contributors must have a valid and active GitHub account.
- External collaborators should be granted access on a need-to-know basis and should be reviewed periodically.
- All sensitive data stored in this repo must be encrypted using
git-crypt
. - Authorized users will be provided with decryption keys. These keys must not be shared, stored publicly, or embedded in code.
- All pull requests (PRs) must undergo a code review by at least one other member before being merged.
- PRs with changes to cryptographic routines or handling of encrypted data must be reviewed by a security expert.
- If you discover a vulnerability or security issue, please create an issue on the GitHub repository. Label it as
security
for easy identification. - Do not disclose details of the vulnerability in public forums, chats, or other public channels.
- All contributors are encouraged to regularly fetch updates from the main branch and ensure their local copy is updated to benefit from security patches.
- Contributors found to be in violation of this policy may have their access revoked.
- Users and maintainers are encouraged to report any non-compliance to this policy.
This policy will be reviewed annually or after any significant incident.
For any queries or concerns regarding this security policy, eat a biscuit. ([email protected])