chore: sync SECURITY.md from Template-Joomla

2026-06-28 07:46:14 +00:00
parent cb37757087
commit 2fe10deedf
1 changed files with 37 additions and 36 deletions
@@ -19,11 +19,11 @@ You should have received a copy of the GNU General Public License
 along with this program. If not, see <https://www.gnu.org/licenses/>.

 # FILE INFORMATION
-DEFGROUP: [PROJECT_NAME]
-INGROUP: [PROJECT_NAME].Documentation
-REPO: [REPOSITORY_URL]
+DEFGROUP: Template-Joomla
+INGROUP: Template-Joomla.Documentation
+REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Joomla
 PATH: /SECURITY.md
-VERSION: 04.04.01
+VERSION: 01.01.00
 BRIEF: Security vulnerability reporting and handling policy
 -->

@@ -31,7 +31,7 @@ BRIEF: Security vulnerability reporting and handling policy

 ## Purpose and Scope

-This document defines the security vulnerability reporting, response, and disclosure policy for [PROJECT_NAME] and all repositories governed by these standards. It establishes the authoritative process for responsible disclosure, assessment, remediation, and communication of security issues.
+This document defines the security vulnerability reporting, response, and disclosure policy for this Joomla Plugin template repository. It establishes the authoritative process for responsible disclosure, assessment, remediation, and communication of security issues.

 ## Supported Versions

@@ -39,8 +39,8 @@ Security updates are provided for the following versions:

 | Version | Supported          |
 | ------- | ------------------ |
-| [X.x.x] | :white_check_mark: |
-| < [X.0] | :x:                |
+| 01.x.x  | :white_check_mark: |
+| < 01.0  | :x:                |

 Only the current major version receives security updates. Users should upgrade to the latest supported version to receive security patches.

@@ -52,9 +52,9 @@ Only the current major version receives security updates. Users should upgrade t

 Report security vulnerabilities privately to:

-**Email**: `security@[DOMAIN]`
+**Email**: `security@mokoconsulting.tech`

-**Subject Line**: `[SECURITY] Brief Description`
+**Subject Line**: `[SECURITY] Template-Joomla - Brief Description`

 ### What to Include

@@ -118,7 +118,7 @@ Security advisories are published via:

 * GitHub Security Advisories
 * Release notes and CHANGELOG.md
-* Security mailing list (when established)
+* Email notification to project users (if mailing list is established)

 Advisories include:

@@ -131,7 +131,7 @@ Advisories include:

 ## Security Best Practices

-For repositories adopting MokoStandards:
+For projects using this template:

 ### Required Controls

@@ -141,7 +141,17 @@ For repositories adopting MokoStandards:
 * Enforce signed commits (recommended)
 * Use secrets management (never commit credentials)
 * Maintain security documentation
-* Follow secure coding standards defined in `/docs/policy/`
+* Follow secure coding standards defined in MokoStandards
+
+### Joomla Plugin Security
+
+* Follow Joomla security best practices
+* Validate and sanitize all user input
+* Use Joomla's database API to prevent SQL injection
+* Properly escape output to prevent XSS
+* Implement proper access control checks
+* Use Joomla's session and authentication APIs
+* Keep Joomla and dependencies up to date

 ### CI/CD Security

@@ -154,10 +164,10 @@ For repositories adopting MokoStandards:

 #### Automated Security Scanning

-All repositories MUST implement:
+All repositories SHOULD implement:

 **CodeQL Analysis**:
-* Enabled for all supported languages (Python, JavaScript, TypeScript, Java, C/C++, C#, Go, Ruby)
+* Enabled for PHP and other supported languages
 * Runs on: push to main, pull requests, weekly schedule
 * Query sets: `security-extended` and `security-and-quality`
 * Configuration: `.github/workflows/codeql-analysis.yml`
@@ -170,14 +180,6 @@ All repositories MUST implement:
 **Secret Scanning**:
 * Enabled by default with push protection
 * Prevents accidental credential commits
-* Partner patterns enabled
-
-**Dependency Review**:
-* Required for all pull requests
-* Blocks introduction of known vulnerable dependencies
-* Automatic license compliance checking
-
-See [Security Scanning Policy](docs/policy/security-scanning.md) for detailed requirements.

 ### Dependency Management

@@ -189,7 +191,7 @@ See [Security Scanning Policy](docs/policy/security-scanning.md) for detailed re

 ## Compliance and Governance

-This security policy is binding for all repositories governed by MokoStandards. Deviations require documented justification and approval from the Security Owner.
+This security policy is aligned with MokoStandards. Deviations require documented justification.

 Security policies are reviewed and updated at least annually or following significant security incidents.

@@ -203,8 +205,8 @@ We acknowledge and appreciate responsible disclosure. With your permission, we w

 ## Contact and Escalation

-* **Security Team**: security@[DOMAIN]
-* **Primary Contact**: [CONTACT_EMAIL]
+* **Security Team**: security@mokoconsulting.tech
+* **Primary Contact**: hello@mokoconsulting.tech
 * **Escalation**: For urgent matters requiring immediate attention, contact the maintainer directly via GitHub

 ## Out of Scope
@@ -222,19 +224,18 @@ The following are explicitly out of scope:

 ## Metadata

-| Field        | Value                                           |
-| ------------ | ----------------------------------------------- |
-| Document     | Security Policy                                 |
-| Path         | /SECURITY.md                                    |
-| Repository   | [REPOSITORY_URL]                                |
-| Owner        | [OWNER_NAME]                                    |
-| Scope        | Security vulnerability handling                 |
-| Applies To   | All repositories governed by MokoStandards      |
-| Status       | Active                                          |
-| Effective    | [YYYY-MM-DD]                                    |
+| Field        | Value                                                                                                         |
+| ------------ | ------------------------------------------------------------------------------------------------------------ |
+| Document     | Security Policy                                                                                               |
+| Path         | /SECURITY.md                                                                                                  |
+| Repository   | [https://github.com/mokoconsulting-tech/Template-Joomla](https://github.com/mokoconsulting-tech/Template-Joomla) |
+| Owner        | Moko Consulting                                                                                              |
+| Scope        | Security vulnerability handling                                                                              |
+| Status       | Active                                                                                                       |
+| Effective    | 2026-01-16                                                                                                   |

 ## Revision History

 | Date       | Change Description                                | Author          |
 | ---------- | ------------------------------------------------- | --------------- |
-| [YYYY-MM-DD] | Initial creation                                | [AUTHOR_NAME]   |
+| 2026-01-16 | Initial creation for template repository          | Moko Consulting |