This policy defines how Kitodo.Publication handles security vulnerabilities and incidents for the repository kitodo/kitodo-publication.
It applies to:
- GitHub repository: kitodo/kitodo-publication
- All supported versions as listed in SUPPORTED_VERSIONS.md
- Security Contact / Maintainer
- Handles all vulnerability intake, triage, fixes, and releases.
- GitHub: @Erikmitk
- Dependabot alerts and automated security updates are enabled for all supported branches.
- Secret scanning is enabled.
- Static analysis (PHPStan) and unit tests run via GitHub Actions on every push and on pull requests targeting each supported branch.
- Third-party contributions must go through pull requests.
Vulnerabilities can be reported via GitHub private vulnerability reporting: use the "Report a vulnerability" button in the Security tab of this repository.
Users are notified via GitHub release notes.
A security incident may involve:
- Compromise of the GitHub repository, GitHub Actions secrets, or package registry.
- Malicious code injection into a default branch, release, or workflow.
Monitor for:
- Unexpected pushes or workflow modifications
- Unexpected changes to repository or org settings
- Contain: Temporarily restrict repository access if needed; rotate GitHub Secrets and any compromised credentials; disable suspicious GitHub Actions workflows.
- Record: Create an internal incident record capturing timeline, affected components, suspected cause, and current status.
Vulnerability and incident records are tracked via GitHub Security Advisories and GitHub Issues in this repository for as long as the repository exists.
This policy is reviewed after major dependency changes or security incidents.