From 2919093be2b878075264469f0875a496acc45f66 Mon Sep 17 00:00:00 2001
From: Lamparter <notlamparter@outlook.com>
Date: Mon, 29 Jul 2024 19:10:14 +0100
Subject: [PATCH 1/2] GitHub: Add security policy (#501)

---
 .github/SECURITY.md                           | 64 +++++++++++++++++++
 SECURITY.md                                   | 21 ------
 .../Views/AppSettings/GeneralPage.xaml        |  4 ++
 3 files changed, 68 insertions(+), 21 deletions(-)
 create mode 100644 .github/SECURITY.md
 delete mode 100644 SECURITY.md

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 000000000..5d87a0745
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,64 @@
+<!--  Copyright (c) 2022-2024 0x5BFA. Licensed under the MIT License. See the LICENSE.  -->
+
+# Security Policy
+
+This is our policy for reporting security vulnerabilities and overall guidelines on what you should do upon discovering one.
+
+> [!NOTE]
+> This document also outlines the measures we have put in to prevent security vulnerabilities in the first place.
+
+---
+
+<!--
+### Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+-->
+
+## Reporting Security Vulnerabilities
+
+<!--
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.
+-->
+
+**Please report security advistiry from "New draft security advisory" in the Security tab**
+
+In order to report a security vulnerability, you can use [GitHub's built-in tool](https://github.com/0x5bfa/FluentHub/security/advisories/new) which easily allows you to calculate an _attack vector/CVSS string_ or attribute to an existing [`CVE`](https://cve.org) code. This allows the FluentHub Team to accurately calculate the severity and/or importance of preventing it.
+
+### Spotting secrets in code
+
+If you spot a secret in the code, please let us know by contacting us on Discord via private DM. This helps us quietly remove the vulnerability without letting others abuse it.
+If you notice that we've accidentally published an `AppCredentials.config` file or removed it from the `.gitignore` in the project root, please notify us.
+
+### GitHub API
+
+FluentHub relies heavily on the GitHub `GraphQL` and legacy `REST` API. If you believe that you have found a security vulnerability in the API and not FluentHub, _please please please_ report it on via [`bounty.github.com`](https://bounty.github.com/), GitHub's official site for reporting vulnerabilities. This helps keep all open-source code safe and protects millions of developers, governments and other organisations across the world.
+> All bounty submissions are rated by GitHub using a purposefully simple scale.
+
+## Our Measures
+
+What have we done to keep FluentHub safe?
+
+### Dependabot
+
+We have implemented Dependabot alerts to automatically track security vulnerabilities that apply to the repository's dependencies.
+
+### Code scanning
+
+We have enabled GitHub Code Scanning to automatically scan our code for potential GitHub client secrets and other API tokens.
+
+### Security advisories
+
+We have enabled GitHub security advisories to let us know if a potential security problem might affect our repository or if something doesn't look right with any of our other security vulnerability countermeasures. This makes it easy to track potential errors or problems that might expose user credentials publicly or cause other similar problems.
diff --git a/SECURITY.md b/SECURITY.md
deleted file mode 100644
index 034e84803..000000000
--- a/SECURITY.md
+++ /dev/null
@@ -1,21 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
-
-## Reporting a Vulnerability
-
-Use this section to tell people how to report a vulnerability.
-
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
diff --git a/src/FluentHub.App/Views/AppSettings/GeneralPage.xaml b/src/FluentHub.App/Views/AppSettings/GeneralPage.xaml
index 5f152d260..4ecfafae4 100644
--- a/src/FluentHub.App/Views/AppSettings/GeneralPage.xaml
+++ b/src/FluentHub.App/Views/AppSettings/GeneralPage.xaml
@@ -153,6 +153,10 @@
 									Grid.Column="3"
 									Content="Code of conduct"
 									NavigateUri="https://github.com/0x5BFa/FluentHub/blob/main/.github/CODE_OF_CONDUCT.md" />
+								<HyperlinkButton
+									Grid.Column="4"
+									Content="Security guidelines"
+									NavigateUri="https://github.com/0x5BFa/FluentHub/blob/main/.github/SECURITY.md" />
 							</Grid>
 						</uc:SettingsBlockControl.ExpandableContent>
 					</uc:SettingsBlockControl>

From d137c630a2883bb1b1d78277836b7e436f03b29e Mon Sep 17 00:00:00 2001
From: 0x5BFA <62196528+0x5bfa@users.noreply.github.com>
Date: Sat, 3 Aug 2024 08:38:35 +0900
Subject: [PATCH 2/2] Create devcontainer.json

---
 .devcontainer/devcontainer.json | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .devcontainer/devcontainer.json

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
new file mode 100644
index 000000000..ea70d2d5e
--- /dev/null
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,5 @@
+{
+  "features": {
+    "ghcr.io/devcontainers/features/powershell:1": {}
+  }
+}