|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## 🔒 Security Philosophy |
| 4 | + |
| 5 | +At sysAdmin, security is foundational to our mission. We prioritize the protection of our users' data and servers by following industry best practices for secure coding, credential management, and data protection. Since our application handles sensitive server credentials and operations, we take security extremely seriously. |
| 6 | + |
| 7 | +## 🛡️ Supported Versions |
| 8 | + |
| 9 | +Only the most recent version of sysAdmin receives security updates. We strongly recommend all users to update to the latest release as soon as available. |
| 10 | + |
| 11 | +| Version | Supported | |
| 12 | +| ------- | ------------------ | |
| 13 | +| latest | :white_check_mark: | |
| 14 | +| < latest| :x: | |
| 15 | + |
| 16 | +## 🐛 Reporting a Vulnerability |
| 17 | + |
| 18 | +We appreciate the work of security researchers and the responsible disclosure of security vulnerabilities. If you discover a security issue in sysAdmin, please follow these guidelines: |
| 19 | + |
| 20 | +### How to Report |
| 21 | + |
| 22 | +1. **Do NOT create a public GitHub issue** for security vulnerabilities |
| 23 | +2. Email your findings to [[email protected]](mailto:[email protected]) |
| 24 | +3. Include detailed information about the vulnerability: |
| 25 | + - Description of the issue |
| 26 | + - Steps to reproduce |
| 27 | + - Potential impact |
| 28 | + - Any suggested mitigations (if available) |
| 29 | +4. If possible, provide proof of concept code or screenshots that demonstrate the vulnerability |
| 30 | + |
| 31 | +### What to Expect |
| 32 | + |
| 33 | +- **Initial Response:** We aim to acknowledge receipt of your report within 48 hours |
| 34 | +- **Updates:** You will receive updates on the progress of your report within 7 days |
| 35 | +- **Resolution:** We will work diligently to verify and fix the issue as quickly as possible |
| 36 | +- **Disclosure:** We practice coordinated disclosure and will work with you to determine an appropriate timeline for public disclosure after the issue is fixed |
| 37 | + |
| 38 | +### Recognition |
| 39 | + |
| 40 | +We believe in acknowledging security researchers who help improve our security: |
| 41 | + |
| 42 | +- Researchers who report valid security vulnerabilities will be credited (with their permission) in our release notes and security advisories |
| 43 | +- We may establish a security hall of fame on our GitHub repository for significant contributions |
| 44 | + |
| 45 | +## 🧰 Application Security Features |
| 46 | + |
| 47 | +sysAdmin implements several security measures to protect user data: |
| 48 | + |
| 49 | +### Credential Storage |
| 50 | + |
| 51 | +- All SSH credentials and keys are stored in the device's secure storage using the `flutter_secure_storage` package |
| 52 | +- Credentials are never transmitted to external servers or services |
| 53 | +- Private keys are handled securely in memory and cleared after use |
| 54 | + |
| 55 | +### Communications Security |
| 56 | + |
| 57 | +- All communications with Linux servers are encrypted using SSH protocols |
| 58 | +- We use industry-standard SSH/SFTP libraries (dartssh2) with secure cipher suites |
| 59 | +- The application does not implement custom cryptographic solutions |
| 60 | + |
| 61 | +### Local Authentication |
| 62 | + |
| 63 | +- Local device authentication (biometric/PIN) is required before accessing stored credentials |
| 64 | +- The app implements session timeouts to protect against unauthorized access |
| 65 | + |
| 66 | +### Permission Model |
| 67 | + |
| 68 | +- The application requests only the minimum required device permissions necessary for operation |
| 69 | +- File access is limited to designated directories for uploading/downloading files |
| 70 | + |
| 71 | +## 📋 Security Best Practices for Users |
| 72 | + |
| 73 | +We recommend the following security practices for users: |
| 74 | + |
| 75 | +1. **Use SSH Keys** instead of passwords when possible |
| 76 | +2. **Enable Device Lock** on your mobile device |
| 77 | +3. **Regularly Update** the sysAdmin application to the latest version |
| 78 | +4. **Avoid Public Networks** when managing sensitive servers |
| 79 | +5. **Use Restricted Users** with limited privileges for routine server management |
| 80 | +6. **Enable Timeout** settings in the app to automatically log out after inactivity |
| 81 | +7. **Verify Server Fingerprints** when establishing new connections |
| 82 | +8. **Don't Root/Jailbreak** devices used for server management |
| 83 | + |
| 84 | +## 🔄 Security Development Lifecycle |
| 85 | + |
| 86 | +Our development process includes: |
| 87 | + |
| 88 | +1. **Design Reviews** for security implications of new features |
| 89 | +2. **Static Analysis** of code to identify potential vulnerabilities |
| 90 | +3. **Dependency Scanning** to identify and update vulnerable dependencies |
| 91 | +4. **Manual Code Reviews** with specific focus on security aspects |
| 92 | +5. **Testing** for common security vulnerabilities |
| 93 | + |
| 94 | +## 📑 Compliance & Standards |
| 95 | + |
| 96 | +While sysAdmin is not currently certified against security standards, we strive to follow best practices from: |
| 97 | + |
| 98 | +- OWASP Mobile Security Project guidelines |
| 99 | +- Google's Mobile Application Security Verification Standard (MASVS) |
| 100 | +- Flutter security best practices |
| 101 | + |
| 102 | +--- |
| 103 | + |
| 104 | +This security policy will be updated periodically as our security practices evolve. Last updated: April 18, 2025. |
0 commit comments