UNPKG

@sebastienrousseau/dotfiles

Version:

The Trusted Shell Platform — Universal dotfiles managed by Chezmoi. Features Bash & Zsh for macOS, Linux & WSL. Rust modern tooling & enterprise-grade security.

dotfiles.io

sebastienrousseau/dotfiles

131 lines (97 loc) 4.16 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Encrypted Security Disclosure — Reporter Workflow This document is for **external security researchers** who have found an issue in this repository and want to report it without exposing sensitive details (PII, exploit chains, internal infrastructure) in transit or at rest on third-party servers. If your report doesn't need encryption, please use [GitHub Security Advisories](https://github.com/sebastienrousseau/dotfiles/security/advisories) instead — it's faster and the GitHub-side audit trail is stronger. ## 1. Fetch the maintainer's public key ```sh # Web Key Directory is the modern recommendation. gpg --auto-key-locate clear,wkd \ --locate-keys security@sebastienrousseau.com ``` If WKD fails (offline keyserver, corporate proxy), download directly: ```sh curl -fsSL \ https://sebastienrousseau.com/.well-known/openpgpkey/hu/qpzqfwauiwxnu1xrf5h47bunsho44p6f \ | gpg --import ``` ## 2. Verify the fingerprint **Do not skip this step.** A MITM attacker can serve their own key. ```sh gpg --fingerprint security@sebastienrousseau.com ``` The fingerprint must match the one published in [`.github/SECURITY.md`](../../.github/SECURITY.md). Cross-verify against the SSH signing key in `dot_config/git/allowed_signers.tmpl` — the maintainer signs commits with the same identity, so both fingerprints derive from the same identity claim. If the two fingerprints don't match, **stop**. Open a private [Security Advisory](https://github.com/sebastienrousseau/dotfiles/security/advisories/new) and ask the maintainer to confirm the key out-of-band. ## 3. Encrypt your report ```sh cat <<EOF | gpg --encrypt --armor \ --recipient security@sebastienrousseau.com \ --output disclosure.asc Subject: <short description of the issue> <full details — repro steps, affected versions, exploit, screenshots referenced by base64-encoded attachments, contact info for follow-up> EOF ``` Verify the output is an ASCII-armored OpenPGP message before sending: ```sh head -1 disclosure.asc # Expected: -----BEGIN PGP MESSAGE----- ``` ## 4. Send Attach `disclosure.asc` to an email to **<security@sebastienrousseau.com>**. Subject line: `[dotfiles] <severity>: <short description>` (no encryption-sensitive content in the subject; mail relays log subjects in plain text). ## 5. Acknowledgement You should receive an acknowledgement within the SLA in [`.github/SECURITY.md`](../../.github/SECURITY.md): | Severity | Initial response | |---|---| | Critical | 24 hours | | High | 72 hours | | Medium | 5 business days | | Low | 10 business days | The acknowledgement will be signed with the same key you encrypted to. Verify the signature: ```sh gpg --verify response.asc ``` If you don't receive an acknowledgement in the SLA window, or the acknowledgement signature doesn't verify, escalate by: 1. Opening a private GitHub Security Advisory. 2. DM-ing the maintainer on Mastodon: `@sebastienrousseau@hachyderm.io`. ## 6. After disclosure The maintainer commits to: - A fix timeline communicated within the SLA. - A CVE assignment when severity ≥ Medium and the issue affects published releases (npm package, release tarballs). - Public credit at fix time in the release notes (unless you request anonymity at report time). - A backport to any actively-supported release line listed in `.github/SECURITY.md`. ## What NOT to do - Don't post details in a public issue, even a "I found a bug, ping me for details" placeholder — every public reference is a tip-off to attackers monitoring the repo. - Don't disclose to third parties (other dotfile maintainers, security mailing lists, blog posts) before the embargo lifts. - Don't access data or systems you don't own. - Don't run automated scans against `*.sebastienrousseau.com` that exceed normal browser-like traffic. ## See also - [`.github/SECURITY.md`](../../.github/SECURITY.md) — policy overview + fingerprint. - [`docs/security/KEY_ROTATION.md`](KEY_ROTATION.md) — schedule for when the disclosure key is rotated. - [`docs/security/AUDIT_BYPASS.md`](AUDIT_BYPASS.md) — separate flow for the pre-push audit bypass (not for disclosure).