b9fde03f1e
Firewall (the service.rs core landed in efb1ba2): scope the web-console rule
(TCP 47992) to Domain+Private by default with a `--allow-public-network` opt-in
that deletes-then-re-adds the rule, and add the installer "Allow connections on
Public networks" task (unchecked) forwarding the flag to `service install` and
`web setup`. Default is now trusted-networks-only; Public is explicit.
Vulnerability disclosure: SECURITY.md (report to security@punktfunk.com, scope,
SLAs, safe harbor), a Gitea issue-template contact link, a README security line,
and a Reporting section on the docs Security page.
Docs: the Security page now documents the Private/Domain firewall default (and
how to fix a misclassified-Public network / opt in); removed internal design-doc
and CLAUDE.md links from the user-facing docs.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
10 lines
500 B
YAML
10 lines
500 B
YAML
# Shown on the "new issue" chooser so security reports go to the private channel, not a public issue.
|
|
blank_issues_enabled: true
|
|
contact_links:
|
|
- name: 🔒 Report a security vulnerability
|
|
url: https://git.unom.io/unom/punktfunk/src/branch/main/SECURITY.md
|
|
about: >-
|
|
Found a security issue? Please report it privately by email to security@punktfunk.com — do not
|
|
open a public issue, so other users aren't exposed before a fix ships. See SECURITY.md for the
|
|
full policy.
|