From 139909e7a89210465a4229ff8c732ad269cc9bcf Mon Sep 17 00:00:00 2001 From: jremitz Date: Fri, 10 Apr 2026 11:31:25 -0500 Subject: [PATCH] docs: add security policy Documents scope (R2 credential handling, presigned URL safety, object key path traversal), supported versions, and private vulnerability reporting channel so GitHub surfaces a policy in the Security tab and Community Standards checklist. --- SECURITY.md | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..21ece3d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,88 @@ +# Security Policy + +## Supported Versions + +reeln-plugin-cloudflare is pre-1.0 software. Security fixes are +published against the latest release only. We recommend always running +the most recent version from +[PyPI](https://pypi.org/project/reeln-plugin-cloudflare/) or the +[Releases page](https://github.com/StreamnDad/reeln-plugin-cloudflare/releases). + +| Version | Supported | +| ------- | ------------------ | +| latest release | :white_check_mark: | +| older | :x: | + +## Scope + +reeln-plugin-cloudflare is a reeln-cli plugin that uploads video clips +and highlight files to Cloudflare R2 storage via the S3-compatible API. +It runs inside `reeln-cli` on a livestreamer's local machine and makes +outbound HTTPS requests to Cloudflare using R2 access keys stored on +disk. + +In-scope concerns include, but are not limited to: +- Leakage of R2 access key IDs, secret access keys, or account IDs via + logs, error messages, cached responses, or saved state +- Insecure file permissions on the on-disk credential store +- Unsafe handling of presigned URLs — accidental logging, overly long + expirations, or granting broader permissions than intended +- Path traversal in R2 object keys derived from user-supplied game + metadata (team names, clip titles, roster strings) +- Unsafe deserialization of R2/S3 API responses or cached manifests +- Command injection or path traversal in upload staging directories or + local artifact paths +- Dependency confusion or typosquatting on the PyPI package name + +Out of scope: +- Vulnerabilities in Cloudflare R2 itself or in the upstream `boto3` / + `botocore` S3 client — report those to the respective upstream +- Vulnerabilities in reeln-cli or other reeln plugins — report those to + the respective repository +- Issues that require an attacker to already have local code execution + on the user's machine or access to the stored R2 credentials + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub +issues, discussions, or pull requests.** + +Report vulnerabilities using GitHub's private vulnerability reporting: + +1. Go to the [Security tab](https://github.com/StreamnDad/reeln-plugin-cloudflare/security) + of this repository +2. Click **"Report a vulnerability"** +3. Fill in as much detail as you can: affected version, reproduction steps, + impact, and any suggested mitigation + +If you cannot use GitHub's reporting, email **git-security@email.remitz.us** +instead. + +### What to include + +A good report contains: +- The version of reeln-plugin-cloudflare, reeln-cli, and Python you + tested against +- Your operating system and architecture (macOS / Windows / Linux, arch) +- Steps to reproduce the issue +- What you expected to happen vs. what actually happened +- The potential impact (credential leakage, unauthorized bucket access, + presigned URL abuse, data loss, etc.) +- Any proof-of-concept code, if applicable + +### What to expect + +This plugin is maintained by a small team, so all timelines below are +best-effort rather than hard guarantees: + +- **Acknowledgement:** typically within a week of your report +- **Initial assessment:** usually within two to three weeks, including + whether we consider the report in scope and our planned next steps +- **Status updates:** roughly every few weeks until the issue is resolved +- **Fix & disclosure:** coordinated with you. We aim to ship a patch + release reasonably quickly for high-severity issues, with lower-severity + issues addressed in a future release. Credit will be given in the + release notes and CHANGELOG unless you prefer to remain anonymous. + +If a report is declined, we will explain why. You are welcome to disagree +and provide additional context.