Skip to content

Security: MythicalLTD/Pterodactyl-Desktop

Security

.github/SECURITY.md

Pterodactyl GitHub Security Policy

Table of Contents

  1. Introduction
  2. Code Management
  3. Authentication and Access Control
  4. Secure Coding Practices
  5. Sensitive Data Handling
  6. Third-Party Libraries
  7. Security Testing
  8. Reporting Security Issues
  9. Training and Awareness
  10. Policy Review

1. Introduction

The purpose of this security policy is to ensure the confidentiality, integrity, and availability of the codebase and sensitive data related to our app. This policy applies to all team members with access to the GitHub repository. Adhering to these guidelines is essential for maintaining the security of our app.

2. Code Management

  • All code must be version controlled using Git, and changes should be made through pull requests.
  • Pull requests must be reviewed and approved by at least one other team member before merging into the main branch (e.g., main or develop).
  • Regular code reviews should focus on security aspects, including potential vulnerabilities and best practices.

3. Authentication and Access Control

  • Access to the GitHub repository should be granted based on the principle of least privilege. Team members should have access only to the repositories and branches relevant to their roles.
  • Strong, unique passwords should be used for GitHub accounts. Consider enabling two-factor authentication (2FA) for added security.

4. Secure Coding Practices

  • Follow secure coding practices, adhering to the principle of "defense in depth."
  • Sanitize and validate all input data to prevent common web vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection.
  • Avoid storing sensitive information like passwords, API keys, or tokens directly in the code. Use environment variables or secure configuration files instead.
  • Implement appropriate error handling to avoid leaking sensitive information to end-users.
  • Regularly update and patch dependencies to ensure they are free from known vulnerabilities.

5. Sensitive Data Handling

  • Avoid committing sensitive data (e.g., passwords, API keys, private keys) to the repository.
  • Use a secrets management system to securely store and share sensitive data with authorized team members when necessary.
  • Encryption should be used when transmitting sensitive data.

6. Third-Party Libraries

  • Only use reputable third-party libraries and packages from trusted sources.
  • Regularly review and update third-party dependencies to ensure they are free from vulnerabilities.
  • Monitor security advisories and promptly address any reported vulnerabilities in third-party libraries.

7. Security Testing

  • Conduct regular security assessments and penetration testing of the app.
  • Implement automated security testing tools (e.g., static code analysis, vulnerability scanners) in the development process.
  • Perform security reviews before deploying updates or new features.

8. Reporting Security Issues

  • If a team member discovers a security vulnerability or incident, they should report it immediately to the security team or repository administrators.
  • Encourage responsible disclosure from external researchers and users.

9. Training and Awareness

  • Ensure that all team members receive regular security training to stay informed about the latest threats and best practices.
  • Foster a security-aware culture among all contributors to promote accountability and vigilance.

10. Policy Review

  • This security policy should be reviewed periodically to ensure it remains up-to-date and relevant to the project's needs.
  • The security team or repository administrators should initiate policy reviews and make necessary updates.

There aren’t any published security advisories