From 3563fcc151cb4fd4626d361cb438535361c50243 Mon Sep 17 00:00:00 2001
From: Phat Pham
Date: Sun, 21 Jun 2026 21:46:33 +0700
Subject: [PATCH 1/2] docs: enhance README with license badge, security policy,
and license section
---
README.md | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 8277480..ce26716 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,7 @@
+
---
@@ -335,7 +336,7 @@ Presentation-layer note:
### Offline and connectivity
- the app shell and previously fetched `GET /api/items` views are cached by the service worker for offline reuse
-- this offline/PWA behavior requires a secure-context origin where service workers are available (for example `localhost` or HTTPS); plain HTTP network IP origins such as `http://100.94.224.102:9002` do not get service-worker-based offline reopen support on iOS
+- this offline/PWA behavior requires a secure-context origin where service workers are available (for example `localhost` or HTTPS); plain HTTP network IP origins such as `http://100.94.224.102:9[...]
- when the browser goes offline, a no-wifi indicator appears before the refresh button instead of showing connectivity toasts
- if an offline view has no cached `/api/items` response yet, the list is replaced with `Offline and no cached items are available for this view yet.`
- when the browser comes back online, the no-wifi indicator disappears and the current view is re-fetched silently from `/api/items`
@@ -415,6 +416,18 @@ docker run --rm -v "$PWD":/src -w /src golang:1.24-bookworm go test ./...
---
+## Security
+
+For security concerns, please email [hi@boringcode.dev](mailto:hi@boringcode.dev) instead of using the issue tracker. See [SECURITY.md](SECURITY.md) for more details.
+
+---
+
+## License
+
+This project is licensed under the MIT License — see the [LICENSE](LICENSE) file for details.
+
+---
+
## Repository hygiene
The SQLite runtime data directory is intentionally ignored:
From c2c8df7df4530655ddce6d6f40b5017eddf3b983 Mon Sep 17 00:00:00 2001
From: Phat Pham
Date: Sun, 21 Jun 2026 21:47:55 +0700
Subject: [PATCH 2/2] docs: add SECURITY.md with vulnerability reporting
guidelines
---
SECURITY.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SECURITY.md
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..803eb7a
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,60 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We take security seriously. If you discover a security vulnerability in feedreader, please report it responsibly by emailing [hi@boringcode.dev](mailto:hi@boringcode.dev) instead of using the public issue tracker.
+
+When reporting a security issue, please include:
+
+- A description of the vulnerability
+- Steps to reproduce the issue (if applicable)
+- The affected version(s)
+- Any potential impact or proof of concept
+
+We will acknowledge your report within 48 hours and work with you to understand and resolve the issue promptly.
+
+## Security Considerations for Deployment
+
+Since feedreader is a self-hosted application, the following best practices are recommended:
+
+### Network Security
+
+- Run feedreader behind a reverse proxy (nginx, Caddy, etc.) with TLS/HTTPS enabled
+- Use a firewall to restrict access to the application
+- Consider running the application in an isolated network segment
+
+### Data Security
+
+- Store the SQLite database file on an encrypted filesystem
+- Regularly back up the database
+- Ensure proper file permissions on the data directory
+
+### Container Security
+
+- Keep the base Docker image and Go runtime updated
+- Run the container with minimal required privileges
+- Use secrets management for sensitive configuration values
+
+### Dependency Management
+
+- Monitor dependencies for security updates
+- Keep Go and other dependencies current
+
+## Supported Versions
+
+Security updates will be provided for:
+
+- The current release and latest version
+- The previous minor version if critical
+
+## Disclosure Timeline
+
+We aim to:
+
+1. Acknowledge receipt of the report within 48 hours
+2. Begin investigation and reproduce the issue
+3. Develop and test a fix
+4. Publish a security release (if needed)
+5. Notify the reporter of the resolution
+
+We appreciate your responsible disclosure and will credit you appropriately unless you prefer to remain anonymous.