Skip to content

docs: add SECURITY.md with vulnerability reporting policy #279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jackhax wants to merge 1 commit into
base: master
Choose a base branch
from
Open

docs: add SECURITY.md with vulnerability reporting policy #279

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Security Policy

## Supported Versions

| Version | Supported |
|---------|-----------|
| Latest release | :white_check_mark: |
| Older releases | :x: |

Only the latest release receives security fixes.

## Scope

AutoRaise is a macOS accessibility utility that:
- Uses Accessibility APIs (`AXUIElement`) to observe and raise windows
- Reads a local configuration file (`~/.AutoRaise` or `~/.config/AutoRaise/config`)
- Runs as a user-space process with no network access

Relevant attack surfaces include:
- **Config file parsing** — malformed or malicious `~/.AutoRaise` values
- **Accessibility API abuse** — privilege escalation via the granted Accessibility permission
- **Binary distribution** — unsigned or tampered binaries

Out of scope: issues requiring physical access or root privileges the attacker already possesses.

## Reporting a Vulnerability

Please **do not** open a public GitHub issue for security vulnerabilities.

Instead, report privately via one of these channels:
1. **GitHub Private Advisory** — use the "Report a vulnerability" button on the [Security tab](https://github.com/sbmpost/AutoRaise/security/advisories/new)
2. **Email** — contact the maintainer directly (see GitHub profile for contact info)

Include in your report:
- A description of the vulnerability and its impact
- Steps to reproduce or a proof-of-concept
- Affected version(s)
- Any suggested mitigations

## Response Timeline

| Step | Target |
|------|--------|
| Acknowledgement | Within 7 days |
| Status update | Within 30 days |
| Fix / advisory | Depends on severity |

## Security Considerations for Users

- Grant Accessibility permission only to trusted builds
- Download releases from the [official GitHub releases page](https://github.com/sbmpost/AutoRaise/releases) only
- Verify the binary is not tampered with (check SHA or Gatekeeper status)
- Review your `~/.AutoRaise` config if shared or sourced from untrusted sources