chore(docs): update security policy to prevent public vulnerability disclosure

- Direct security reports to email only instead of public GitHub issues - Set clear expectations: no CVEs during beta (v0.x) phase - Add security best practices for self-hosted deployments - Plan formal vulnerability disclosure program for v1.0+ Addresses #5255

chore(docs): update security policy to prevent public vulnerability disclosure
- Direct security reports to email only instead of public GitHub issues - Set clear expectations: no CVEs during beta (v0.x) phase - Add security best practices for self-hosted deployments - Plan formal vulnerability disclosure program for v1.0+ Addresses #5255
d69435c9 · Steven · a533ba02 · d69435c9
Commit d69435c9 authored Nov 21, 2025 by Steven
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 3 deletions

SECURITY.md SECURITY.md +42 -3

No files found.
--- a/SECURITY.md
+++ b/SECURITY.md
 # Security Policy

-## Reporting a bug
+## Project Status

-Report security bugs via GitHub [issues](https://github.com/usememos/memos/issues).
+Memos is currently in beta (v0.x). While we take security seriously, we are not yet ready for formal CVE assignments or coordinated disclosure programs.

-For more information, please contact [usememos@gmail.com](usememos@gmail.com).
+## Reporting Security Issues
+
+### For All Security Concerns:
+Please report via **email only**: usememos@gmail.com
+
+**DO NOT open public GitHub issues for security vulnerabilities.**
+
+Include in your report:
+- Description of the issue
+- Steps to reproduce
+- Affected versions
+- Your assessment of severity
+
+### What to Expect:
+- We will acknowledge your report as soon as we can
+- Fixes will be included in regular releases without special security advisories
+- No CVEs will be assigned during the beta phase
+- Credit will be given in release notes if you wish
+
+### For Non-Security Bugs:
+Use GitHub issues for functionality bugs, feature requests, and general questions.
+
+## Philosophy
+
+As a beta project, we prioritize:
+1. **Rapid iteration** over lengthy disclosure timelines
+2. **Quick patches** over formal security processes
+3. **Transparency** about our beta status
+
+We plan to implement formal vulnerability disclosure and CVE handling after reaching v1.0 stable.
+
+## Self-Hosting Security
+
+Since Memos is self-hosted software:
+- Keep your instance updated to the latest release
+- Don't expose your instance directly to the internet without authentication
+- Use reverse proxies (nginx, Caddy) with rate limiting
+- Review the deployment documentation for security best practices
+
+Thank you for helping improve Memos!