fbf26453f2
ConsentOS — a privacy-first cookie consent management platform. Self-hosted, source-available alternative to OneTrust, Cookiebot, and CookieYes. Full standards coverage (IAB TCF v2.2, GPP v1, Google Consent Mode v2, GPC, Shopify Customer Privacy API), multi-tenant architecture with role-based access, configuration cascade (system → org → group → site → region), dark-pattern detection in the scanner, and a tamper-evident consent record audit trail. This is the initial public release. Prior development history is retained internally. See README.md for the feature list, architecture overview, and quick-start instructions. Licensed under the Elastic Licence 2.0 — self-host freely; do not resell as a managed service.
35 lines
1.1 KiB
Markdown
35 lines
1.1 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Supported |
|
|
|---------|-----------|
|
|
| 0.1.x | Yes |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
If you discover a security vulnerability, **please do not open a public issue.**
|
|
|
|
Instead, email **security@consentos.dev** with:
|
|
|
|
- A description of the vulnerability
|
|
- Steps to reproduce
|
|
- Any relevant logs or screenshots
|
|
- Your assessment of severity
|
|
|
|
We aim to acknowledge reports within **48 hours** and provide a fix or mitigation plan within **7 days** for critical issues.
|
|
|
|
## Scope
|
|
|
|
The following are in scope for security reports:
|
|
|
|
- The ConsentOS API (`apps/api/`)
|
|
- The consent banner script (`apps/banner/`)
|
|
- The scanner service (`apps/scanner/`)
|
|
- The admin UI (`apps/admin-ui/`)
|
|
- Docker and Helm deployment configurations
|
|
|
|
## Responsible Disclosure
|
|
|
|
We ask that you give us reasonable time to address any reported vulnerabilities before disclosing them publicly, remembering that this is a free, open source project and not paid work. We are happy to credit researchers who report valid issues (unless you prefer to remain anonymous).
|