ente/SECURITY.md
Manav Rathi e9d76688ce Move to monorepo
Move all of our code into a monorepo in preparation of open sourcing our server.

First I describe the general plan, then later I've kept an exact log of the
commands that I used. This was all done prior to this commit, but this commit
(that introduces the various top level files) seems like a good way to summarize
the entire process.

Clone auth. Auth is our base repository.

```sh
git clone https://github.com/ente-io/auth.git && cd auth
```

Move all of auth's files into `auth/`.

```sh
mkdir auth
git mv `find . -maxdepth 1 | grep -v -e '\.$' -e '\.\/.git$' -e '\.\/auth$'` auth
git commit -m 'Move into auth/'
```

Add photos-web as a new remote, and fetch its main.

```sh
git remote add photos-web https://github.com/ente-io/photos-web.git
git fetch photos-web main
```

Switch to main of web-photos.

```sh
git checkout -b photos-web-main photos-web/main
```

Move all of its files into `web` (note, the find now has an extra exclusion for
`web`, but we keep all the old ones too):

```sh
mkdir web
git mv `find . -maxdepth 1 | grep -v -e '^\.$' -e '^\.\/.git$' -e '^\.\/auth$' -e '^\.\/web$'` web
git commit -m 'Move into web/'
```

Switch back to main main, and merge the photos-web branch. The
`--allow-unrelated-histories` flag is needed (since these two branches don't
have any previous common ancestor).

```sh
git checkout main
git merge --allow-unrelated-histories photos-web-main
```

That's it. We then repeat this process for all the other repositories that we
need to bring in.

There is no magic involved here, so regular git commands will continue working.
However, all the files get renamed, so to track the git history prior to this
rename commit we'll need to pass the `--follow` flag.

    git log --follow -p -- auth/migration-guides/encrypted_export.md

For some file names like README.md which exist in multiple repositories, this
doesn't seem to work so good (I don't fully understand why). For example,
`git log --follow -p -- auth/README.md lists the changes to all the READMEs,
not just the auth README.md.

```sh

git clone https://github.com/ente-io/auth.git ente
cd ente

mkdir auth
git mv `find . -maxdepth 1 | grep -v -e '\.$' -e '\.\/.git$' -e '\.\/auth$'` auth
git commit -m 'Move into auth/'

git remote add photos-web https://github.com/ente-io/photos-web.git
git fetch photos-web main
git checkout -b photos-web-main photos-web/main

mkdir web
git mv `find . -maxdepth 1 | grep -v -e '^\.$' -e '^\.\/.git$' -e '^\.\/auth$' -e '^\.\/web$'` web
git commit -m 'Move into web/'

git checkout main
git merge --allow-unrelated-histories photos-web-main
git branch -D photos-web-main
git remote remove photos-web

git remote add photos-app https://github.com/ente-io/photos-app.git
git fetch photos-app main
git checkout -b photos-app-main photos-app/main

mkdir mobile
git mv `find . -maxdepth 1 | grep -v -e '^\.$' -e '^\.\/.git$' -e '^\.\/auth$' -e '^\.\/web$' -e '^\.\/mobile$'` mobile
git commit -m 'Move into mobile/'

git checkout main
git merge --allow-unrelated-histories photos-app-main
git branch -D photos-app-main
git remote remove photos-app

git remote add photos-desktop https://github.com/ente-io/photos-desktop.git
git fetch photos-desktop main
git checkout -b photos-desktop-main photos-desktop/main

mkdir desktop
git mv `find . -maxdepth 1 | grep -v -e '^\.$' -e '^\.\/.git$' -e '^\./.gitmodules$' -e '^\.\/desktop$'` desktop
git mv .gitmodules desktop
git commit -m 'Move into desktop/'

git checkout main
git merge --allow-unrelated-histories photos-desktop-main
git branch -D photos-desktop-main
git remote remove photos-desktop

git remote add cli https://github.com/ente-io/cli.git
git fetch cli main
git checkout -b cli-main cli/main

mkdir cli
git mv `find . -maxdepth 1 | grep -v -e '^\.$' -e '^\.\/.git$' -e '^\.\/cli$'` cli
git commit -m 'Move into cli/'

git checkout main
git merge --allow-unrelated-histories cli-main
git branch -D cli-main
git remote remove cli

git remote add docs https://github.com/ente-io/docs.git
git fetch docs main
git checkout -b docs-main docs/main

mkdir docs-1
git mv `find . -maxdepth 1 | grep -v -e '^\.$' -e '^\.\/.git$' -e '^\.\/docs-1$'` docs-1
git mv docs-1 docs
git commit -m 'Move into docs/'

git checkout main
git merge --allow-unrelated-histories docs-main
git branch -D docs-main
git remote remove docs
```
2024-03-01 13:01:41 +05:30

2.2 KiB

Ente believes that working with security researchers across the globe is crucial to keeping our users safe. If you believe you've found a security issue in our product or service, we encourage you to notify us, by email (security@ente.io) or by filling this form We welcome working with you to resolve the issue promptly. Thanks in advance!

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • If you would like to encrypt your report, please use the PGP key with long ID E273695C0403F34F74171932DF6DDDE98EBD2394 (available in the public keyserver pool).

In-scope

Exclusions

The following bug classes are out-of scope:

  • Bugs that are already reported on any of Ente's issue trackers, or that we already know of (Note that some of our issue tracking is private)
  • Issues in an upstream software dependency (ex: Flutter, Next.js etc) which are already reported to the upstream maintainer
  • Attacks requiring physical access to a user's device
  • Self-XSS
  • Issues related to software or protocols not under ente's control
  • Vulnerabilities in outdated versions of ente
  • Missing security best practices that do not directly lead to a vulnerability
  • Issues that do not have any impact on the general public

While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Ente staff or contractors
  • Any physical attempts against Ente property or data centers

Thank you for helping keep Ente and our users safe!