add security.md#439
Conversation
Signed-off-by: Shawn Yan <shawn2016@aliyun.com>
|
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a comprehensive SECURITY.md file that details the project's security architecture, vulnerability reporting process, and deployment security checklist. Feedback from the review highlights the need to provide a direct security contact email instead of referring to an incomplete CODE_OF_CONDUCT.md and recommends removing the hardcoded default bootstrap password from the public documentation to mitigate potential security risks.
| To report a security issue, use one of the following private channels: | ||
|
|
||
| - **GitHub Security Advisories**: [https://github.com/iflytek/skillhub/security/advisories/new](https://github.com/iflytek/skillhub/security/advisories/new) | ||
| - **Email**: Send a detailed report to the maintainers via private channels listed in the repository's `CODE_OF_CONDUCT.md` |
There was a problem hiding this comment.
The instruction to report vulnerabilities via email by referring to CODE_OF_CONDUCT.md is currently broken because the provided CODE_OF_CONDUCT.md does not contain any email addresses or specific contact details. It only mentions a "private maintainer channel" without defining how to access it. This creates a barrier for security researchers. Please provide a direct security email address or update CODE_OF_CONDUCT.md with the necessary contact information.
| - **Email**: Send a detailed report to the maintainers via private channels listed in the repository's `CODE_OF_CONDUCT.md` | |
| - **Email**: [Insert security contact email address] |
| The `BootstrapAdminInitializer` creates a default admin account on first startup when `BOOTSTRAP_ADMIN_ENABLED=true` (the default for Docker-based deployments). The default credentials are: | ||
|
|
||
| - Username: `admin` | ||
| - Password: `ChangeMe!2026` |
There was a problem hiding this comment.
Hardcoding the default bootstrap password in the public SECURITY.md file is a security risk, as it makes it trivial for attackers to find and attempt to use these credentials against unconfigured instances. It is safer to refer to the .env.release.example file or an environment variable (e.g., BOOTSTRAP_ADMIN_PASSWORD) without disclosing the actual default string in the security policy.
| - Password: `ChangeMe!2026` | |
| - Password: See the default value in .env.release.example |
2 participants
Summary
Add security.md file.
To allow raise issue about security.
Validation
Commands run:
# paste commands hereRisk
Notes