We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 1.x.x | β |
| < 1.0 | β |
We take the security of GONews seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via:
- GitHub Security Advisories: Use the Security Advisories feature
- Email: Send a detailed report to [security@yourdomain.com] (Replace with actual email)
- Private Issue: Contact the maintainers directly through GitHub
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the vulnerability
- Potential impact of the vulnerability
- Possible mitigations or workarounds
- Your contact information for follow-up questions
Subject: [SECURITY] SQL Injection vulnerability in article search
Description:
The article search functionality is vulnerable to SQL injection attacks
through the 'query' parameter.
Steps to Reproduce:
1. Navigate to /api/search
2. Send POST request with payload: {"query": "'; DROP TABLE articles; --"}
3. Observe that the query is executed without sanitization
Impact:
This could allow attackers to:
- Extract sensitive data from the database
- Modify or delete data
- Potentially gain system access
Suggested Fix:
Use parameterized queries instead of string concatenation
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Initial Assessment: We will provide an initial assessment within 5 business days
- Regular Updates: We will provide regular updates on our progress
- Resolution: We aim to resolve critical vulnerabilities within 30 days
We use the following criteria to assess vulnerabilities:
- Remote code execution
- SQL injection with data access
- Authentication bypass
- Cross-site scripting (XSS)
- Local file inclusion
- Privilege escalation
- Information disclosure
- Cross-site request forgery (CSRF)
- Insecure direct object references
- Missing security headers
- Information leakage
- Minor configuration issues
We appreciate security researchers who help improve our security. Eligible reporters may receive:
- Public acknowledgment in our security advisories (if desired)
- Hall of Fame mention in our documentation
- Swag for significant findings (when available)
- Keep your GONews installation up to date
- Use strong passwords and enable 2FA when available
- Regularly review access logs
- Use HTTPS in production
- Keep dependencies updated
- Follow secure coding practices
- Use parameterized queries
- Validate all input
- Implement proper authentication and authorization
- Use HTTPS for all communications
- Regularly update dependencies
- Enable security headers
- Use environment variables for secrets
GONews includes several security features:
- JWT Authentication with configurable expiration
- Rate Limiting to prevent abuse
- Input Validation on all endpoints
- SQL Injection Protection through ORM
- CORS Configuration for cross-origin requests
- Security Headers (HSTS, CSP, etc.)
- Environment-based Configuration for secrets
For any questions about this security policy, please contact:
- Project Maintainer: GitHub Profile
- Security Email: security@yourdomain.com (Replace with actual email)
- General Questions: GitHub Issues
Thank you for helping keep GONews and our users safe! π