SECURITY.md

# Security Policy

## Supported Versions

This is a personal website project. The latest version on the `main` branch is always supported.

| Version | Supported          |
| ------- | ------------------ |
| Latest  | :white_check_mark: |
| Older   | :x:                |

## Reporting a Vulnerability

If you discover a security vulnerability in this project, please report it responsibly:

### Email
Send details to [contact@zane.org](mailto:contact@zane.org) with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

### What to Expect
- **Response time**: Within 48 hours
- **Updates**: Regular communication about the issue
- **Fix timeline**: Depends on severity and complexity
- **Disclosure**: Coordinated disclosure after fix is deployed

### Please Do Not
- Create public issues for security vulnerabilities
- Exploit vulnerabilities beyond proof-of-concept
- Access data that doesn't belong to you
- Perform DoS attacks

## Security Measures

This project implements several security best practices:

### Code Security
- **Input Sanitization**: All user inputs are sanitized (minimal as site is static)
- **Dependencies**: Regular security audits via `npm audit`
- **Linting**: ESLint configured to catch common security issues
- **CSP Ready**: Content Security Policy headers can be added by hosting provider

### Build Security
- **Dependency Scanning**: GitHub Dependabot enabled
- **Automated Updates**: Security patches applied automatically
- **CI/CD**: All code passes linting and build checks

### Best Practices
- No sensitive data in repository
- No API keys or credentials in code
- HTTPS enforced on live site
- Regular dependency updates
- Minimal external dependencies

## Known Limitations

As a static personal website:
- No backend or database
- No user authentication
- No data collection or storage
- Minimal attack surface

## Security Updates

Security fixes are released as soon as possible after discovery. Check the [CHANGELOG](CHANGELOG.md) for security-related updates.

---

*Last updated: November 2024*
feat: Add testing infrastructure and documentation - Set up Vitest for unit testing with jsdom - Add test setup with Web Audio API and requestAnimationFrame mocks - Create initial test suites for DOM and animations modules - Add test scripts to package.json (test, test:ui, test:run, coverage) - Update CI workflow to include test execution - Create CONTRIBUTING.md with conventional commits guidelines - Create SECURITY.md with security policy - Update ESLint config to support test files - All tests passing (8/8) Co-authored-by: ZaneThePython <102631678+ZaneThePython@users.noreply.github.com> 2025-11-09 00:14:31 +00:00			`# Security Policy`

			`## Supported Versions`

			This is a personal website project. The latest version on the `main` branch is always supported.

			`\| Version \| Supported \|`
			`\| ------- \| ------------------ \|`
			`\| Latest \| :white_check_mark: \|`
			`\| Older \| :x: \|`

			`## Reporting a Vulnerability`

			`If you discover a security vulnerability in this project, please report it responsibly:`

			`### Email`
			`Send details to [contact@zane.org](mailto:contact@zane.org) with:`
			`- Description of the vulnerability`
			`- Steps to reproduce`
			`- Potential impact`
			`- Suggested fix (if any)`

			`### What to Expect`
			`- Response time: Within 48 hours`
			`- Updates: Regular communication about the issue`
			`- Fix timeline: Depends on severity and complexity`
			`- Disclosure: Coordinated disclosure after fix is deployed`

			`### Please Do Not`
			`- Create public issues for security vulnerabilities`
			`- Exploit vulnerabilities beyond proof-of-concept`
			`- Access data that doesn't belong to you`
			`- Perform DoS attacks`

			`## Security Measures`

			`This project implements several security best practices:`

			`### Code Security`
			`- Input Sanitization: All user inputs are sanitized (minimal as site is static)`
			- Dependencies: Regular security audits via `npm audit`
			`- Linting: ESLint configured to catch common security issues`
			`- CSP Ready: Content Security Policy headers can be added by hosting provider`

			`### Build Security`
			`- Dependency Scanning: GitHub Dependabot enabled`
			`- Automated Updates: Security patches applied automatically`
			`- CI/CD: All code passes linting and build checks`

			`### Best Practices`
			`- No sensitive data in repository`
			`- No API keys or credentials in code`
			`- HTTPS enforced on live site`
			`- Regular dependency updates`
			`- Minimal external dependencies`

			`## Known Limitations`

			`As a static personal website:`
			`- No backend or database`
			`- No user authentication`
			`- No data collection or storage`
			`- Minimal attack surface`

			`## Security Updates`

			`Security fixes are released as soon as possible after discovery. Check the [CHANGELOG](CHANGELOG.md) for security-related updates.`

			`---`

			`Last updated: November 2024`