Rendered by
adopt-standard.shfrom the standards repo, pinned at1.0.0. Replace the{{PLACEHOLDERS}}and tailor as needed. This is the adopter-facing variant of the standard's ownSECURITY.md; keep the no-plaintext-secret rule and the data traffic-light intact.
This policy applies to Kenearos/blizz. It is derived from our engineering
standard (pinned in .standards-version).
Do not open a public issue for a security problem — a public issue widens exposure before a fix exists (a private repo is non-public, not secret-safe).
- Email kenearos@googlemail.com with the subject prefix
[SECURITY] blizz. - Include: affected file/component, the version/commit you observed it on, a minimal reproduction, and the impact you foresee.
- Never paste a real secret, private key, token, or production hostname into the report. If a credential leaked, report that it leaked and where — then rotate it first, before anything else.
Expect acknowledgement within 3 business days and a triage decision within 10 business days. We prefer coordinated disclosure: please give us a reasonable window to ship a fix before any public write-up.
No plaintext secret material is committed to this repository, not even "just for a minute" and not even though the repo is private.
- Encrypted-only. Machine-readable secrets are encrypted with SOPS + age
before they touch git. Only
*.enc.*/*.sops.*ciphertext and*.exampleplaceholders belong in version control. - age keys, not the KeePass master password. Use dedicated age keys. KeePass remains the human vault (emergency codes, manual credentials, key backups). Never reuse the KeePass master password for other crypto purposes.
- SSH keys. Private keys are never committed; public keys may be versioned.
- A FIDO2 / hardware-token path is supported for the age identity.
This is enforced, not honour-system:
| Layer | Mechanism |
|---|---|
| Pre-commit (local) | gitleaks + sops-encrypted-check in .pre-commit-config.yaml; secret-safe .gitignore |
CI security-scan |
secret + dependency scanning |
CI policy_check |
Rego policy from the pinned standard |
If a secret is ever committed: treat it as compromised, rotate it immediately, then scrub history. Rotation comes first.
Classify every piece of content before committing:
| Light | Meaning | Rule |
|---|---|---|
| 🟢 GREEN | Technical content, no personal data. | OK in the repo. |
| 🟡 YELLOW | Minimized personal reference — roles / IDs, not real names. | Use sparingly. |
| 🔴 RED | Sensitive personal data, plaintext secrets, private keys. | Never in the repo. Encrypt secrets (SOPS+age) or keep personal data out entirely. |
| Version | Supported |
|---|---|
Latest release of blizz |
✅ Yes |
| Older releases | ❌ Upgrade first |
The standard this repo adopts follows SemVer; bump
.standards-version deliberately and read its CHANGELOG
migration notes.