1.4 KiB
1.4 KiB
Security Policy
Bliish.space deployments are operator-managed instances.
Reporting Vulnerabilities
Report sensitive issues through the repository's private vulnerability reporting channel if one is configured. If not, contact the maintainer privately before publishing details.
For non-sensitive issues, open a public issue with:
- affected version or commit;
- affected route or feature;
- expected behavior;
- actual behavior;
- reproduction steps;
- impact assessment.
Supported Versions
Security fixes target the current main branch unless a release branch states otherwise.
Security Boundaries
Bliish.space currently treats these areas as security-critical:
- password hashing;
- cookie sessions;
- CSRF checks;
- profile HTML and skin sanitization;
- upload validation and normalization;
- oversized request rejection;
- form action rate limiting;
- security headers;
- account export and deletion;
- role-based admin and moderator actions;
- report moderation;
- post, comment, and upload deletion paths;
- private profile visibility.
Non-Goals
Bliish.space does not provide:
- hosted abuse monitoring;
- centralized moderation;
- managed backups;
- managed email reputation;
- DDoS protection;
- security guarantees for modified custom skins or reverse proxy configs.
Instance operators are responsible for host hardening, TLS, backups, logs, and abuse response.