We actively support the following versions of the DK24 Community Website:
| Version | Supported |
|---|---|
| Latest | ✅ Yes |
| < Latest | ❌ No |
We recommend always using the latest version deployed on our main branch.
The DK24 community takes security seriously. We appreciate your efforts to responsibly disclose your findings.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities to:
- Email: dk24consortium@gmail.com
- Subject: [SECURITY] Brief description of the issue
When reporting a security vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information for follow-up
Subject: [SECURITY] XSS vulnerability in contact form
Description:
Cross-site scripting vulnerability found in the contact form submission.
Steps to Reproduce:
1. Navigate to /join page
2. Enter malicious script in the message field: <script>alert('XSS')</script>
3. Submit the form
4. Script executes on form submission
Impact:
Potential for malicious script execution, data theft, session hijacking.
Suggested Fix:
Implement proper input sanitization and validation on both client and server side.
Contact: dk24consortium@gmail.com
We aim to respond to security reports according to the following timeline:
- Initial Response: Within 24 hours
- Triage and Assessment: Within 72 hours
- Status Update: Weekly until resolved
- Resolution: Varies based on complexity
- Input Validation: All user inputs are validated and sanitized
- HTTPS: All communications are encrypted in transit
- Dependencies: Regular security audits of dependencies
- Code Review: All code changes go through security review
- Access Control: Principle of least privilege for all systems
- Dependency Scanning: Automated vulnerability scanning of dependencies
- Code Analysis: Static code analysis for security issues
- CI/CD Security: Security checks in our deployment pipeline
We follow responsible disclosure practices:
- Report received - We acknowledge receipt within 24 hours
- Investigation - We investigate and validate the report
- Fix development - We develop and test a fix
- Disclosure coordination - We coordinate disclosure timeline with reporter
- Public disclosure - We publicly disclose after fix is deployed
We believe in recognizing security researchers who help us improve:
- Hall of Fame: Recognition on our security page
- Acknowledgment: Credit in our security advisories (if desired)
- Swag: DK24 community merchandise for significant findings
- Reference: Professional reference for career opportunities
The following are considered out of scope for security reports:
- Social engineering attacks against DK24 members
- Physical attacks against DK24 infrastructure
- Denial of service attacks
- Spam or social media abuse
- Issues in third-party services we don't control
- Vulnerabilities requiring physical access to user devices
- Keep browsers updated to the latest version
- Use strong passwords and enable 2FA where available
- Be cautious of phishing attempts claiming to be from DK24
- Report suspicious activity to our security team
We will notify the community of security updates through:
- GitHub Security Advisories
- Community Discord/Slack channels
- Email notifications to registered users
- Website announcements
- Email: dk24consortium@gmail.com
- PGP Key: Available upon request
- Website: dk24.org
- Email: dk24consortium@gmail.com
For sensitive communications, we support:
- PGP encryption (key available upon request)
- Signal for real-time secure messaging
- ProtonMail for encrypted email
This security policy may be updated from time to time. We will notify the community of significant changes.
Last Updated: December 2024
Version: 1.0
Thank you for helping keep DK24 secure! 🛡️
The DK24 Security Team