diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..5550068d22 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,64 @@ +# Security Policy + +## 📢 Reporting a Vulnerability + +At Cherry Studio, we take security seriously and appreciate your efforts to responsibly disclose vulnerabilities. If you discover a security issue, please report it as soon as possible. + +**Please do not create public issues for security-related reports.** + +- Contact us directly via **security@cherry-ai.com**. +- Include a detailed description of the issue, steps to reproduce, potential impact, and any possible mitigations. +- If applicable, please also attach proof-of-concept code or screenshots. + +We will acknowledge your report within **72 hours** and provide a status update as we investigate. + +--- + +## 🔒 Supported Versions + +We aim to support the latest released version and one previous minor release. + +| Version | Supported | +|-----------------|--------------------| +| Latest (`main`) | ✅ Supported | +| Previous minor | ✅ Supported | +| Older versions | ❌ Not supported | + +If you are using an unsupported version, we strongly recommend updating to the latest release to receive security fixes. + +--- + +## 💡 Security Measures + +Cherry Studio integrates several security best practices, including: + +- Strict dependency updates and regular vulnerability scanning. +- TypeScript strict mode and linting to reduce potential injection or runtime issues. +- Enforced code formatting and pre-commit hooks. +- Internal security reviews before releases. +- Dedicated MCP (Model Context Protocol) safeguards for model interactions and data privacy. + +--- + +## 🛡️ Disclosure Policy + +- We follow a **coordinated disclosure** approach. +- We will not publicly disclose vulnerabilities until a fix has been developed and released. +- Credit will be given to researchers who responsibly disclose vulnerabilities, if requested. + +--- + +## 🤝 Acknowledgements + +We greatly appreciate contributions from the security community and strive to recognize all researchers who help keep Cherry Studio safe. + +--- + +## 🌟 Questions? + +For any security-related questions not involving vulnerabilities, please reach out to: +**security@cherry-ai.com** + +--- + +Thank you for helping keep Cherry Studio and its users secure!