Rusoil Software is a student-run organization focused on learning and collaboration. Although most repositories are educational, we treat security responsibly and encourage all contributors to follow good practices when handling software, code samples, and data.

This document explains how to report potential vulnerabilities, what types of issues are relevant, and how we handle security-related concerns.

Important: All code and content in this organization are for study and educational purposes only. Repositories are not intended for production use. Nevertheless, we encourage good security hygiene as part of professional learning.

If you believe you’ve found a vulnerability or security concern in any repository under the Rusoil Software organization:

1. Do not publicly disclose the issue until maintainers have confirmed and addressed it.

2. Contact maintainers privately using one of the following options:

   • Open a private security advisory (if the repository has security advisories enabled).
   • Or email: security@rusoil.example (replace with actual contact address).

3. Include the following details:

   • Repository name and branch (e.g., main, develop)
   • Steps to reproduce the issue (clear and minimal example preferred)
   • Expected vs. actual behavior
   • Any proof-of-concept, logs, or screenshots (if safe to share)

We’ll confirm receipt within 5 business days and aim to provide an initial assessment or fix timeline within 10 business days.

You may report issues such as:

• Vulnerabilities in sample applications that could lead to data leaks or code execution.
• Insecure default configurations (e.g., exposed credentials in examples).
• Unsafe dependency usage or outdated libraries with known CVEs.
• Weak authentication or validation logic (if the project implements such features).

Out of scope:

• General bugs, typos, or documentation issues.
• Theoretical or non-exploitable weaknesses.
• Vulnerabilities in external dependencies not owned by Rusoil Software.
• Misconfigurations in forks or personal copies of repositories.

We follow the principles of responsible disclosure:

• Researchers and contributors should privately report security issues and give maintainers a reasonable amount of time to respond before public disclosure.
• Maintainers will communicate openly and respectfully during triage.
• Credit will be given to reporters who follow the policy and help resolve issues.

Even though this is an educational space, all contributors are expected to:

• Never commit real API keys, passwords, or tokens.
• Use .env.example or configuration templates for sensitive settings.
• Run dependency checks (e.g., npm audit, pip-audit, safety) before pushing code.
• Avoid sharing personal data or confidential institutional information.
• Follow secure coding principles — validate inputs, sanitize outputs, and avoid using outdated libraries.

Maintainers should:

• Review incoming PRs for potential security issues.
• Keep dependencies reasonably up to date.
• Respond to private vulnerability reports promptly.
• Add or maintain security scanning tools where possible (e.g., GitHub Dependabot, CodeQL).
• Mark security-sensitive issues as confidential until resolved.

Rusoil Software and its contributors provide all code, examples, and documentation as-is, without warranty. These repositories are designed for learning, experimentation, and academic collaboration — not production deployment.

By using or contributing to any repository, you acknowledge and agree that:

• You are responsible for assessing and mitigating any security risks in your own environment.
• Rusoil Software and its contributors are not liable for damages or misuse of provided code.

• Security contact: ustyuzhaninky@hotmail.com (ustyuzhaninky)
• Team Lead: ustyuzhaninky
• Organization: Rusoil Software on GitHub

If you have questions about this policy or want to suggest improvements, open a Discussion under the “Security & Maintenance” category.

Last updated: October 2025