Skip to content

Add SECURITY.md: disclosure policy + client_secret-in-config.json threat model #72

Description

@BorisTyshkevich

Part of #68 (Roadmap to 1.0.0) — release-blocker.

Problem

There is no SECURITY.md (no vulnerability-disclosure contact/policy) — standard for a 1.0, and more so for an Altinity-branded, security-sensitive tool. Separately, the client_secret-in-config.json situation is documented in the README but not formalized as a threat model: config.json is served to browsers, and the antalya deploy ships a Google client_secret "public-by-design".

Ask

  • Add SECURITY.md with a vulnerability-disclosure contact and supported-versions policy.
  • Document the threat model for config.json: it is public; prefer a PKCE public client (no secret); if an IdP requires a client_secret, the redirect URI must be locked and the file treated as public (mirror CLAUDE.md hard rule 3 + README "Configuring OAuth").
  • Consider a deploy-time warning when a client_secret is present in config.json.
  • Note token storage (sessionStorage, tab-lifetime) and the CSP posture (default-src 'none', tight connect-src) as the baseline.

Acceptance

  • SECURITY.md present: disclosure contact + the config.json/secret threat model + redirect-lock requirement.
  • (Optional) deploy renderer warns when a secret is configured.

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions