Skip to content

docs: add SECURITY.md security policy (EN + 中文) #1044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
circlecrystal wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: add SECURITY.md security policy (EN + 中文) #1044

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Security Policy

[中文版](./SECURITY_CN.md)

BitFun is a desktop-grade Agent runtime (Rust core + Tauri shell) that runs on your own machine with broad capabilities—filesystem, terminal, Git, MCP/LSP, and remote control. Because of this reach, we take security reports seriously and appreciate the community's help in keeping users safe.

## Supported Versions

BitFun is currently in active `0.x` development and ships as a rolling release. Security fixes land on the latest release; older versions are not patched separately.

| Version | Supported |
| ------- | --------- |
| Latest release (`main`) | ✅ |
| Older releases | ❌ |

Please upgrade to the latest [release](https://github.com/GCWing/BitFun/releases) before reporting an issue to confirm it still reproduces.

## Reporting a Vulnerability

**Please do not open a public issue, discussion, or pull request for security vulnerabilities.** Public disclosure before a fix is available puts users at risk.

Instead, report privately through GitHub Security Advisories:

➡️ **[Report a vulnerability](https://github.com/GCWing/BitFun/security/advisories/new)**

This opens a private channel visible only to the maintainers. If you are unable to use GitHub Security Advisories, open a minimal public issue that says only "I'd like to report a security issue privately"—without any details—and a maintainer will follow up with a private channel.

To help us triage quickly, please include where you can:

- A clear description of the vulnerability and its impact
- The affected component (Rust core, desktop/Tauri, web UI, mobile-web pairing, server/relay, CLI, installer, etc.)
- Step-by-step reproduction instructions or a proof of concept
- Affected version(s), operating system, and configuration
- Any suggested mitigation or fix, if you have one

## Disclosure Process

- We aim to acknowledge new reports within **5 business days**.
- We will work with you to confirm the issue, assess severity, and determine a fix timeline, keeping you updated on progress.
- Once a fix is released, we will publish a security advisory and credit the reporter unless you prefer to remain anonymous.
- We follow coordinated disclosure: please give us a reasonable window to ship a fix before any public disclosure.

## Scope

In scope:

- The BitFun runtime, official Agents, desktop/CLI/server apps, web UI, and the mobile-web pairing/remote-control flow in this repository.

Out of scope:

- Issues in third-party dependencies (please report those upstream; let us know if a BitFun update is needed).
- Vulnerabilities that require a pre-compromised machine, physical access, or already-elevated privileges.
- Risks inherent to running an autonomous Agent with capabilities you explicitly grant it (e.g., a tool you authorized acting within its granted permissions).

## Safe Harbor

We will not pursue or support legal action against researchers who, in good faith, discover and report vulnerabilities in accordance with this policy and who avoid privacy violations, data destruction, and service disruption during testing.

Thank you for helping keep BitFun and its users safe.
59 changes: 59 additions & 0 deletions SECURITY_CN.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# 安全策略

[English](./SECURITY.md)

BitFun 是一个运行在你本机的桌面级 Agent 运行时(Rust 内核 + Tauri 外壳),具备文件系统、终端、Git、MCP/LSP 以及远程控制等广泛能力。正因为权限范围较大,我们非常重视安全问题,并感谢社区帮助我们保护用户安全。

## 受支持的版本

BitFun 目前处于 `0.x` 活跃开发阶段,采用滚动发布。安全修复只会合入最新发布版本,旧版本不会单独打补丁。

| 版本 | 是否支持 |
| ---- | -------- |
| 最新发布版(`main`) | ✅ |
| 较旧的发布版 | ❌ |

在上报问题前,请先升级到最新[发布版](https://github.com/GCWing/BitFun/releases),确认问题仍可复现。

## 如何上报漏洞

**请不要通过公开的 Issue、Discussion 或 Pull Request 来上报安全漏洞。** 在修复发布之前公开披露会让用户面临风险。

请通过 GitHub Security Advisories 私密上报:

➡️ **[上报漏洞](https://github.com/GCWing/BitFun/security/advisories/new)**

该入口会开启一个仅维护者可见的私密渠道。如果你无法使用 GitHub Security Advisories,可以新建一个极简的公开 Issue,仅写明「我想私下上报一个安全问题」——不要附带任何细节——维护者会与你建立私密沟通渠道。

为便于我们快速分诊,请尽量提供以下信息:

- 漏洞的清晰描述及其影响
- 受影响的组件(Rust 内核、桌面端/Tauri、Web UI、移动端配对、服务端/中继、CLI、安装器等)
- 复现步骤或概念验证(PoC)
- 受影响的版本、操作系统及相关配置
- 如有缓解措施或修复建议,也欢迎一并提供

## 披露流程

- 我们会争取在 **5 个工作日内**确认收到新的上报。
- 我们会与你一起确认问题、评估严重程度并确定修复时间线,并持续向你同步进展。
- 修复发布后,我们会发布安全公告,并在你愿意的情况下致谢上报者(若你希望匿名,我们将予以尊重)。
- 我们遵循协调披露原则:请在公开披露前给我们留出合理的修复窗口期。

## 适用范围

适用范围内:

- 本仓库中的 BitFun 运行时、官方 Agent、桌面端/CLI/服务端应用、Web UI,以及移动端配对/远程控制流程。

不在适用范围内:

- 第三方依赖中的问题(请向上游上报;如需 BitFun 侧更新请告知我们)。
- 需要事先攻陷机器、物理访问或已提权环境才能触发的漏洞。
- 运行自主 Agent 时由你明确授予的能力所固有的风险(例如某个你已授权的工具在其权限范围内执行操作)。

## 安全港(Safe Harbor)

对于善意发现并按照本策略上报漏洞,且在测试过程中避免侵犯隐私、破坏数据与中断服务的研究者,我们不会对其采取或支持任何法律行动。

感谢你帮助保障 BitFun 及其用户的安全。