Skip to content

Security: masa-57/PIC

SECURITY.md

Security Policy

Supported Versions

Version Supported
0.1.x Yes

Reporting a Vulnerability

Do not open a public GitHub issue for security vulnerabilities.

Instead, please either report vulnerabilities using GitHub Security Advisories: use the "Report a vulnerability" button on the Security tab or send an email to: 118902016+masa-57@users.noreply.github.com

What to Include

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

Response Timeline

  • Acknowledgment: Within 48 hours
  • Initial assessment: Within 1 week
  • Fix for critical issues: Within 30 days
  • Fix for non-critical issues: Within 90 days

You will be credited in the fix unless you prefer to remain anonymous.

Security Considerations

PIC handles image data and provides an API with key-based authentication. When deploying:

  • Always set a strong PIC_API_KEY in production
  • Use HTTPS for all API communication
  • Restrict database access to the API server and workers only
  • Review S3/R2 bucket policies to prevent public access to images
  • Rotate secrets regularly (see docs/runbooks/secrets-rotation.md)

There aren't any published security advisories