# Security Policy

## Supported Versions

| Version | Supported |
|---------|----------|
| Current static archive | ✅ Yes |

**Note**: This is a static archive website. The website consists of HTML, CSS, JavaScript, and image files only. No server-side processing, no database, no user input handling.

## Reporting a Vulnerability

### Security Issues to Report

- Cross-site scripting (XSS) vulnerabilities in HTML/JS
- Broken or malicious external links
- Insecure dependencies in bundled JavaScript
- Privacy concerns with embedded content
- Any other security-related issues

### How to Report

**Please do NOT report security vulnerabilities through public GitHub issues.**

Instead, send an email to:
- **Security Contact**: it@fidh.org
- **Subject**: [Security] Made in France Archive - [Brief Description of vulnerability]

Include:
- Clear description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Any proof of concept or exploit code (if available)

### Response Time

- **Acknowledgment**: Within 48 hours
- **Initial assessment**: Within 72 hours
- **Critical vulnerabilities**: Prioritized, aim to respond within 24 hours

### Disclosure Policy

- We ask for reasonable time to investigate and address reported vulnerabilities
- We will keep you informed about the progress
- We may request additional information or clarification
- Public disclosure should be coordinated with us

## Security Best Practices

### For Deployment

- Always serve the website over **HTTPS** (not HTTP)
- Enable **Security Headers** (CSP, X-XSS-Protection, X-Frame-Options, etc.) - see .htaccess
- Consider using a **CDN** or **DDoS protection** service
- No server-side configuration required

### For Contributors

- Sanitize any JavaScript code added to the site
- Ensure all external links use HTTPS
- Do not include tracking codes without disclosure and approval
- Do not hardcode sensitive information
- Test on multiple browsers

## Scope

This security policy applies to:
- The static archive content in this repository
- The deployed website using this code (https://madeinfrance.fidh.org)
- All HTML, JavaScript, and CSS files

## Out of Scope

The following are **not** covered by this policy:
- Content-related concerns (see README for contact)
- Design or usability issues
- Non-security bugs
- Social engineering attacks
- DDoS attacks
- Server configuration issues not related to code

## Acknowledgments

We appreciate the security community's efforts to make the web safer. Responsible disclosure helps protect all users of this archive.

---

*Last updated: 2019*
*Archive preserved by: FIDH (International Federation for Human Rights) and LDH (Ligue des Droits de l'Homme)*
*Contact: it@fidh.org | https://www.fidh.org | https://www.ldh-france.org*