13a1072c6f
Some checks are pending
CI / Test (Python 3.10 on macos-latest) (push) Waiting to run
CI / Test (Python 3.11 on macos-latest) (push) Waiting to run
CI / Test (Python 3.12 on macos-latest) (push) Waiting to run
CI / Test (Python 3.8 on macos-latest) (push) Waiting to run
CI / Test (Python 3.9 on macos-latest) (push) Waiting to run
CI / Test (Python 3.10 on ubuntu-latest) (push) Waiting to run
CI / Test (Python 3.11 on ubuntu-latest) (push) Waiting to run
CI / Test (Python 3.12 on ubuntu-latest) (push) Waiting to run
CI / Test (Python 3.8 on ubuntu-latest) (push) Waiting to run
CI / Test (Python 3.9 on ubuntu-latest) (push) Waiting to run
CI / Test (Python 3.10 on windows-latest) (push) Waiting to run
CI / Test (Python 3.11 on windows-latest) (push) Waiting to run
CI / Test (Python 3.12 on windows-latest) (push) Waiting to run
CI / Test (Python 3.8 on windows-latest) (push) Waiting to run
CI / Test (Python 3.9 on windows-latest) (push) Waiting to run
CI / Lint (push) Waiting to run
CI / Release (push) Blocked by required conditions
Documentation / Build Documentation (push) Waiting to run
79 lines
1.4 KiB
Markdown
79 lines
1.4 KiB
Markdown
# 安全策略
|
||
|
||
## 支持的版本
|
||
|
||
以下版本目前接受安全更新:
|
||
|
||
| 版本 | 支持状态 |
|
||
|:---|:---:|
|
||
| 1.3.x | 支持 |
|
||
| 1.2.x | 支持 |
|
||
| < 1.2 | 不支持 |
|
||
|
||
## 报告漏洞
|
||
|
||
如果您发现安全漏洞,请按照以下步骤报告:
|
||
|
||
### 请勿公开报告
|
||
|
||
请不要通过公开的 Issue 报告安全漏洞。
|
||
|
||
### 报告方式
|
||
|
||
1. 发送邮件至安全团队
|
||
2. 使用 GitHub/Gitee 的私密漏洞报告功能
|
||
|
||
### 报告内容
|
||
|
||
请在报告中包含以下信息:
|
||
|
||
- 漏洞类型
|
||
- 受影响的版本
|
||
- 复现步骤
|
||
- 潜在影响
|
||
- 建议的修复方案(如有)
|
||
|
||
### 响应时间
|
||
|
||
- 确认收到:48 小时内
|
||
- 初步评估:7 个工作日内
|
||
- 修复发布:根据严重程度,通常在 30 天内
|
||
|
||
### 漏洞披露
|
||
|
||
修复发布后,我们将:
|
||
|
||
1. 发布安全公告
|
||
2. 更新 CHANGELOG
|
||
3. 通知受影响用户(如适用)
|
||
|
||
## 安全更新
|
||
|
||
建议用户:
|
||
|
||
- 及时更新到最新版本
|
||
- 订阅安全公告
|
||
- 定期检查依赖项的安全更新
|
||
|
||
## 安全最佳实践
|
||
|
||
使用 Sikuwa 时的安全建议:
|
||
|
||
### 配置文件
|
||
|
||
- 不要在配置文件中存储敏感信息
|
||
- 使用环境变量管理密钥
|
||
- 将配置文件添加到 `.gitignore`
|
||
|
||
### 构建环境
|
||
|
||
- 使用虚拟环境隔离依赖
|
||
- 定期更新依赖项
|
||
- 验证第三方包的完整性
|
||
|
||
### 输出文件
|
||
|
||
- 审查生成的可执行文件
|
||
- 使用代码签名(如适用)
|
||
- 扫描构建产物的安全漏洞
|