Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in Web-Terminal, please report it responsibly:

1. Go to the GitHub Security Advisory page
2. Click "Report a vulnerability"
3. Fill out the advisory form with detailed information
4. Submit the advisory

Please provide as much information as possible:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact of the vulnerability
• Affected versions (if known)
• Suggested fix (if you have one)
• Your contact information for follow-up questions

Due to limited development resources, please understand that:

• Initial Response: We aim to acknowledge receipt within 48-72 hours
• Assessment: Initial assessment will be completed within 1 week
• Resolution: Timeline depends on severity and complexity, typically 1-4 weeks
• Disclosure: Coordinated disclosure after fix is available

• Critical: Immediate attention (RCE, privilege escalation)
• High: Quick response needed (authentication bypass, data exposure)
• Medium: Standard timeline (DoS, information disclosure)
• Low: Lower priority (minor information leaks)

Given that Web-Terminal manages system-level operations on OmniOS, please pay special attention to:

• Command Execution: Any potential for command injection

• Default Configurations: Insecure defaults
• SSL/TLS Implementation: Certificate validation, cipher suites
• CORS Configuration: Origin validation bypasses
• Database Security: SQL injection, unauthorized access

To maintain security:

1. Keep Updated: Always run the latest stable version
2. Secure Configuration: Follow the security configuration guide
3. Network Security: Use HTTPS, restrict network access appropriately
4. Monitor Logs: Watch for suspicious activity in application logs

Web-Terminal includes several security features:

• CORS Protection: Whitelist-based origin validation
• SSL/TLS Support: Configurable HTTPS with custom certificates
• Input Validation: Parameter validation and sanitization
• Audit Logging: Session Tracking

We appreciate the security research community's efforts in making Web-Terminal more secure. Responsible disclosure helps protect all users.

Contributors who responsibly report security vulnerabilities will be acknowledged here (with their permission):

• No vulnerabilities reported yet

This security policy may be updated as the project evolves. Check back periodically for changes.

Remember: Security is a shared responsibility. Your vigilance and responsible reporting help keep the entire Web-Terminal community safe.