From 49dc4aae11e7c5afa4be312bf2a21f04533d1c18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Wed, 12 Jun 2024 10:36:40 +0200 Subject: [PATCH 1/2] Create SECURITY.md --- SECURITY.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..5e6ec128 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,9 @@ +# Reporting Security Issues + +We and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. + +To report a security issue, email [nicklas.koertge1@ibm.com](mailto:nicklas.koertge1@ibm.com) and include the word "SECURITY" in the subject line. + +Wem will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +Report security bugs in third-party modules to the person or team maintaining the module. From b8c0ed6eb9fa30946ea35723f37c76b8bbed89df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicklas=20K=C3=B6rtge?= Date: Wed, 12 Jun 2024 10:42:55 +0200 Subject: [PATCH 2/2] update security policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Nicklas Körtge --- SECURITY.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 5e6ec128..402215a8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,9 +1,12 @@ # Reporting Security Issues -We and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. +You can privately report a potential security issue via the GitHub security advisory feature. This can be done here: -To report a security issue, email [nicklas.koertge1@ibm.com](mailto:nicklas.koertge1@ibm.com) and include the word "SECURITY" in the subject line. +https://github.com/IBM/sonar-cryptography/security/advisories -Wem will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. +Please do **not** open a public issue about a potential security vulnerability. -Report security bugs in third-party modules to the person or team maintaining the module. +You can find more details on the security vulnerability feature in the GitHub +documentation here: + +https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability