# Security Policy

## Supported Versions

| Version | Supported |
|---------|----------|
| Current static site | ✅ Yes |

**Note**: This is a static archive website. The website consists of HTML, CSS, and JavaScript files that do not process user input or execute server-side code.

## Reporting a Vulnerability

### Security Issues to Report

- Cross-site scripting (XSS) vulnerabilities in the static HTML/JS
- Broken or malicious external links
- Privacy concerns with embedded content
- Insecure dependencies (if applicable)
- Any other security-related issues

### How to Report

**Please do NOT report security vulnerabilities through public GitHub issues.**

Instead, send an email to:
- **Security Contact**: it@fidh.org
- **Subject**: [Security] RT4Freedom Archive - [Brief Description]

Include:
- Clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any proof of concept or exploit code (if available)

### Response Time

- **Acknowledgment**: Within 48 hours
- **Initial assessment**: Within 72 hours
- **Critical vulnerabilities**: Prioritized, aim to respond within 24 hours

### Disclosure Policy

- We ask for reasonable time to investigate and address reported vulnerabilities
- We will keep you informed about the progress
- We may request additional information or clarification
- Public disclosure should be coordinated with us

## Security Best Practices

### For Deployment

- Always serve the website over **HTTPS** (not HTTP)
- Enable **Security Headers** (CSP, X-XSS-Protection, X-Frame-Options, etc.)
- Consider using a **CDN** or **DDoS protection** service
- Keep all static assets updated

### For Contributors

- Do not add any user input processing or server-side code
- Sanitize any JavaScript code added to the site
- Ensure all external links use HTTPS
- Do not include tracking codes without disclosure
- Do not hardcode sensitive information

## Scope

This security policy applies to:
- The static archive content in this repository
- The deployed website using this code

## Out of Scope

The following are **not** covered by this policy:
- Content-related concerns (see README for contact)
- Design or usability issues
- Non-security bugs
- Social engineering attacks
- DDoS attacks
- Server configuration issues not related to code

## Acknowledgments

We appreciate the security community's efforts to make the web safer. Responsible disclosure helps protect all users of this archive.

---

*Last updated: 2026*
*Archive preserved by: FIDH (International Federation for Human Rights)*
*Contact: it@fidh.org | https://www.fidh.org*