sillyspace/SECURITY.md
2026-06-03 22:59:03 -04:00

1.4 KiB

Security Policy

Bliish.space deployments are operator-managed instances.

Reporting Vulnerabilities

Report sensitive issues through the repository's private vulnerability reporting channel if one is configured. If not, contact the maintainer privately before publishing details.

For non-sensitive issues, open a public issue with:

  • affected version or commit;
  • affected route or feature;
  • expected behavior;
  • actual behavior;
  • reproduction steps;
  • impact assessment.

Supported Versions

Security fixes target the current main branch unless a release branch states otherwise.

Security Boundaries

Bliish.space currently treats these areas as security-critical:

  • password hashing;
  • cookie sessions;
  • CSRF checks;
  • profile HTML and skin sanitization;
  • upload validation and normalization;
  • oversized request rejection;
  • form action rate limiting;
  • security headers;
  • account export and deletion;
  • role-based admin and moderator actions;
  • report moderation;
  • post, comment, and upload deletion paths;
  • private profile visibility.

Non-Goals

Bliish.space does not provide:

  • hosted abuse monitoring;
  • centralized moderation;
  • managed backups;
  • managed email reputation;
  • DDoS protection;
  • security guarantees for modified custom skins or reverse proxy configs.

Instance operators are responsible for host hardening, TLS, backups, logs, and abuse response.