Skip to content

SECURITY.md

Latest commit

ย 

History

History
73 lines (49 loc) ยท 2.09 KB

SECURITY.md

File metadata and controls

73 lines (49 loc) ยท 2.09 KB

Security Policy


Supported Versions

ํ˜„์žฌ ์ตœ์‹  ๋ฆด๋ฆฌ์Šค ๋ฒ„์ „์— ๋Œ€ํ•ด์„œ๋งŒ ๋ณด์•ˆ ํŒจ์น˜๋ฅผ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.

Version Supported
Latest release Yes
Previous releases No

Reporting a Vulnerability

๋ณด์•ˆ ์ทจ์•ฝ์ ์„ ๋ฐœ๊ฒฌํ•œ ๊ฒฝ์šฐ, ๊ณต๊ฐœ ์ด์Šˆ๋กœ ๋“ฑ๋กํ•˜์ง€ ๋งˆ์„ธ์š”. ์•„๋ž˜ ๋ฐฉ๋ฒ•์„ ์ด์šฉํ•ด์ฃผ์„ธ์š”.

Preferred: GitHub Security Advisory

Security Advisory ์ž‘์„ฑ

Alternative: Direct Contact

ํ”„๋กœ์ ํŠธ ๊ด€๋ฆฌ์ž์—๊ฒŒ ๋น„๊ณต๊ฐœ๋กœ ์—ฐ๋ฝํ•ฉ๋‹ˆ๋‹ค.

Required Information

Item Description
Type ์ทจ์•ฝ์  ์œ ํ˜• (XSS, SQLi, Auth bypass ๋“ฑ)
Description ์ƒ์„ธ ์„ค๋ช…
Steps to Reproduce ์žฌํ˜„ ์ ˆ์ฐจ
Impact ์˜ํ–ฅ ๋ฒ”์œ„ ๋ฐ ์‹ฌ๊ฐ๋„
Fix Suggestion ์ˆ˜์ • ๋ฐฉ์•ˆ (optional)

Response Process

Phase Timeline Description
Acknowledgment 3 business days ์‹ ๊ณ  ์ ‘์ˆ˜ ํ™•์ธ
Assessment 1 week ์‹ฌ๊ฐ๋„ ๋ฐ ์˜ํ–ฅ ๋ฒ”์œ„ ํ‰๊ฐ€
Patch Depends on severity ํŒจ์น˜ ๊ฐœ๋ฐœ ๋ฐ ํ…Œ์ŠคํŠธ
Disclosure After fix deployed ์ˆ˜์ • ๋ฐฐํฌ ํ›„ ์ทจ์•ฝ์  ์ •๋ณด ๊ณต๊ฐœ

Secret Management

์ €์žฅ์†Œ์— ๋‹ค์Œ ์ •๋ณด๋ฅผ ์ ˆ๋Œ€ ํฌํ•จํ•˜์ง€ ๋งˆ์„ธ์š”.

Prohibited Example
API Keys REPLICATE_API_TOKEN, PORTONE_API_SECRET
Database Credentials DB password, connection strings
Authentication Tokens JWT secret, refresh tokens
Service Account Keys GCP service account JSON
Environment Files .env contents

How We Manage Secrets

๋ชจ๋“  ๋ฏผ๊ฐ ์ •๋ณด๋Š” GCP Secret Manager๋ฅผ ํ†ตํ•ด ์ค‘์•™ ๊ด€๋ฆฌํ•ฉ๋‹ˆ๋‹ค.

Resource Purpose
finders-prod-config Production configuration (JSON)
finders-dev-config Development configuration (JSON)
GitHub Secrets (3 only) WIF_PROVIDER, WIF_SERVICE_ACCOUNT, GCP_PROJECT_ID

์ƒ์„ธ ๊ฐ€์ด๋“œ: SECRET_MANAGEMENT.md