Davidson Gomes
GitHub
commit
e198d858b9
75
SECURITY.md
Normal file
75
SECURITY.md
Normal file
@ -0,0 +1,75 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
We aim to support the latest stable release of Evo AI and apply security updates as soon as possible. Please use the most recent version for the best security.
|
||||
|
||||
---
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you discover a security vulnerability in Evo AI, **please report it privately** and responsibly. Do **not** open a public issue.
|
||||
|
||||
**To report a vulnerability:**
|
||||
|
||||
- Email: [contato@evolution-api.com](mailto:contato@evolution-api.com)
|
||||
- Include as much detail as possible, including:
|
||||
- Steps to reproduce the issue
|
||||
- Potential impact
|
||||
- Your suggestions (if any) for remediation
|
||||
|
||||
You will receive a response as soon as possible. We may request additional information to fully understand and address the issue.
|
||||
|
||||
---
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
- **Keep your installation up to date.**
|
||||
Always use the latest stable version and regularly check for updates.
|
||||
|
||||
- **Environment Variables:**
|
||||
Store all secrets, credentials, and keys in environment variables or secrets managers.
|
||||
Never commit sensitive information to the repository.
|
||||
|
||||
- **Authentication:**
|
||||
Evo AI uses JWT authentication with expiration, email verification, and account lockout for brute-force protection.
|
||||
|
||||
- **Passwords:**
|
||||
All passwords are securely hashed with bcrypt and random salt.
|
||||
|
||||
- **Access Control:**
|
||||
Access to sensitive endpoints is protected via role-based checks and resource ownership verification.
|
||||
|
||||
- **Audit Logs:**
|
||||
Important administrative actions are logged for traceability.
|
||||
|
||||
- **Input Validation:**
|
||||
All inputs are validated using Pydantic schemas to prevent injection attacks.
|
||||
|
||||
---
|
||||
|
||||
## Responsible Disclosure
|
||||
|
||||
Please give us a reasonable time to investigate and address any reported security issues before any public disclosure.
|
||||
|
||||
---
|
||||
|
||||
## Project Security Features
|
||||
|
||||
- JWT tokens with limited lifetime
|
||||
- Secure password hashing (bcrypt)
|
||||
- Email verification with one-time tokens
|
||||
- Account lockout after multiple failed login attempts
|
||||
- Resource-based access control
|
||||
- Strict input validation for all APIs
|
||||
- Separation between regular and administrative users
|
||||
|
||||
---
|
||||
|
||||
## License
|
||||
|
||||
All security contributions are made under the [Apache License 2.0](./LICENSE).
|
||||
|
||||
---
|
||||
|
||||
Thank you for helping keep Evo AI and its users safe!
|
||||
Loading…
Reference in New Issue
Block a user