new-api/.github/SECURITY.md

# Security Policy

## Supported Versions

We provide security updates for the following versions:

| Version | Supported          |
| ------- | ------------------ |
| Latest  | :white_check_mark: |
| Older   | :x:                |

We strongly recommend that users always use the latest version for the best security and features.

## Reporting a Vulnerability

We take security vulnerability reports very seriously. If you discover a security issue, please follow the steps below for responsible disclosure.

### How to Report

**Do NOT** report security vulnerabilities in public GitHub Issues.

To report a security issue, please use the GitHub Security Advisories tab to "[Open a draft security advisory](https://github.com/QuantumNous/new-api/security/advisories/new)". This is the preferred method as it provides a built-in private communication channel.

Alternatively, you can report via email:

- **Email:** support@quantumnous.com
- **Subject:** `[SECURITY] Security Vulnerability Report`

### What to Include

To help us understand and resolve the issue more quickly, please include the following information in your report:

1. **Vulnerability Type** - Brief description of the vulnerability (e.g., SQL injection, XSS, authentication bypass, etc.)
2. **Affected Component** - Affected file paths, endpoints, or functional modules
3. **Reproduction Steps** - Detailed steps to reproduce
4. **Impact Assessment** - Potential security impact and severity assessment
5. **Proof of Concept** - If possible, provide proof of concept code or screenshots (do not test in production environments)
6. **Suggested Fix** - If you have a fix suggestion, please provide it
7. **Your Contact Information** - So we can communicate with you

## Response Process

1. **Acknowledgment:** We will acknowledge receipt of your report within **48 hours**.
2. **Initial Assessment:** We will complete an initial assessment and communicate with you within **7 days**.
3. **Fix Development:** Based on the severity of the vulnerability, we will prioritize developing a fix.
4. **Security Advisory:** After the fix is released, we will publish a security advisory (if applicable).
5. **Credit:** If you wish, we will credit your contribution in the security advisory.

## Security Best Practices

When deploying and using New API, we recommend following these security best practices:

### Deployment Security

- **Use HTTPS:** Always serve over HTTPS to ensure transport layer security
- **Firewall Configuration:** Only open necessary ports and restrict access to management interfaces
- **Regular Updates:** Update to the latest version promptly to receive security patches
- **Environment Isolation:** Use separate database and Redis instances in production

### API Key Security

- **Key Protection:** Do not expose API keys in client-side code or public repositories
- **Least Privilege:** Create different API keys for different purposes, following the principle of least privilege
- **Regular Rotation:** Rotate API keys regularly
- **Monitor Usage:** Monitor API key usage and detect anomalies promptly

### Database Security

- **Strong Passwords:** Use strong passwords to protect database access
- **Network Isolation:** Database should not be directly exposed to the public internet
- **Regular Backups:** Regularly backup the database and verify backup integrity
- **Access Control:** Limit database user permissions, following the principle of least privilege

## Security-Related Configuration

Please ensure the following security-related environment variables and settings are properly configured:

- `SESSION_SECRET` - Use a strong random string
- `SQL_DSN` - Ensure database connection uses secure configuration
- `REDIS_CONN_STRING` - If using Redis, ensure secure connection

For detailed configuration instructions, please refer to the project documentation.

## Disclaimer

This project is provided "as is" without any express or implied warranty. Users should assess the security risks of using this software in their environment.