steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity
Files
0fbacf9f986485854aa4afdc3e6e1657d62723bd
restic-manager/docs/book/src/security/disclosure.md
T
steve bb4ed3502d P5: OSS readiness — docs site, contributor onboarding, e2e harness 
P5-01 — Documentation site under docs/book/ rendered with mdBook
(downloaded via Makefile, same static-binary pattern as Tailwind).
Structured chapters: getting started, concepts, operations,
security, reference. `make docs` / `make docs-watch`. Generated
output gitignored.

P5-02 — CONTRIBUTING.md rewritten from placeholder to a full
guide. CODE_OF_CONDUCT.md adapted from Contributor Covenant for a
single-maintainer project. .gitea/issue_template/{bug,feature}.md
and PULL_REQUEST_TEMPLATE.md.

P5-04 — Six README screenshots captured live from a fresh server
bootstrap (login, empty dashboard, add-host, alerts, settings,
audit log). README rewritten to centre the screenshot grid and
link out to the docs site.

P5-05 — SECURITY.md with disclosure policy (3-day ack, 30-day
default window), scope in/out, threat-model summary, operator
hardening checklist. Mirrored as a docs-site chapter.

P5-06 — End-to-end test harness. e2e/compose.e2e.yml brings up
server + sibling Linux agent (alpine + restic) + restic/rest-server.
Agent uses announce-and-approve so Playwright can drive the full
operator flow: bootstrap → login → accept pending → backup →
verify terminal status. Second spec scrapes /metrics to assert
the P6-04 endpoint surface. .gitea/workflows/e2e.yml runs on every
PR; local how-to in docs/e2e.md.
2026-05-08 20:08:23 +01:00

1.4 KiB
Raw Blame History

Reporting vulnerabilities

The full disclosure policy lives in SECURITY.md at the repo root. The short version:

  • Don't open a public issue.
  • Send a Gitea private message to steve on https://gitea.dcglab.co.uk, or email the address on the maintainer's profile, with a subject like [SECURITY] restic-manager: <one-line summary>.
  • Expect an acknowledgement within 3 working days; escalate through the other channel if you don't get one.
  • Default disclosure window is 30 days from confirmed report to public disclosure, faster if a PoC is already circulating, slower only by mutual agreement.

What to include

A description of the issue and the impact, the affected component (server / agent / install script / docs), the version, and reproduction steps. A working PoC is welcome but not required — a credible threat model is enough.

In scope vs. out of scope

See the full policy. Quick highlights:

  • In scope: server, agent, install scripts, docker image, docker-compose reference, crypto choices, docs that lead to insecure configs.
  • Out of scope: restic itself (report upstream), unpatched third-party deps (report upstream first), pre-authenticated admin abuse (admins are designed to have full power), DoS on deployments without the recommended reverse proxy.
Reference in New Issue View Git Blame Copy Permalink