chore: add scope to SECURITY

revoltchat · Jun 12, 2023 · 30eafac · 30eafac
1 parent 7f9f5cd
commit 30eafac
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -2,6 +2,16 @@
 
 ## Reporting a Vulnerability
 
+Before reporting a vulnerability, please make sure it is in scope, for example you should report:
+
+- Server vulnerabilities that may escalate user privileges or allow exfiltration of data.
+- Client vulnerabilities that allow remote code execution or allow exfiltration of data.
+
+You should not report anything that requires phyiscal access to a client machine to achieve, such as:
+
+- Intercepting requests to visually affect client privilege (and not actual server privilege)
+- Exfiltration of user credentials through third party sites
+
 If you would like to report a security vulnerability,
 please email **[[email protected]](mailto:[email protected])**,
 this will open a new ticket in ticket system, you should receive a response