From a8edd5afc01e9e4465280d66eb82cd3b49e1e3ab Mon Sep 17 00:00:00 2001
From: ulsklyc <108589275+ulsklyc@users.noreply.github.com>
Date: Sat, 28 Mar 2026 14:27:31 +0100
Subject: [PATCH] Add files via upload

---
 SECURITY.md | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..eae4d07
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,41 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Oikos, please report it responsibly. **Do not open a public issue.**
+
+Email: **ulsklyc@gmail.com**
+
+Include:
+
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if you have one)
+
+You should receive an acknowledgment within 48 hours. Fixes for confirmed vulnerabilities will be released as soon as possible.
+
+## Scope
+
+Oikos is designed for self-hosted deployment on a private network behind a reverse proxy with SSL. The security model assumes:
+
+- The server is not directly exposed to the public internet without Nginx + TLS
+- The admin controls all user accounts (no public registration)
+- The host machine itself is reasonably secured
+
+Vulnerabilities that require physical access to the host or root on the server are generally out of scope.
+
+## Security Features
+
+- Session-based auth with `httpOnly`, `SameSite=Strict`, `Secure` cookies
+- CSRF protection via Double Submit Cookie on all state-changing requests
+- Passwords hashed with bcrypt (cost factor 12)
+- Login rate limiting (5 attempts/min per IP)
+- API rate limiting (300 requests/min per IP)
+- Content Security Policy via Helmet (`self`-only)
+- Optional SQLCipher AES-256 database encryption
+- No API endpoint accessible without session auth (except login)
+
+## Supported Versions
+
+Only the latest version on `main` receives security updates. There are no LTS branches.