Skip to content

Latest commit

 

History

History
30 lines (17 loc) · 2.42 KB

SECURITY.md

File metadata and controls

30 lines (17 loc) · 2.42 KB

Reporting Vulnerabilities

We extend our sincere gratitude to anyone who reports vulnerabilities to Testsigma Community. These reports are comprehensively investigated by community volunteers as well as Testsigma Team.

To report a security issue, please email us at security@testsigma.com with a detailed overview and necessary information attached. At this juncture, we don't have a bug bounty program. We are a small team trying to solve a big problem. We urge you to report any vulnerabilities responsibly so that we can continue building a secure application for the entire community.

When Should I Report a Vulnerability?

  • You think you have discovered a potential security vulnerability in the Testsigma or related components.
  • You are unsure how a vulnerability affects the Testsigma project.
  • You think you discovered a vulnerability in another project that Testsigma depends on (e.g. MySQL, Docker, NGINX, etc). -You want to report any other security risk that could potentially harm Testsigma users.

When Should I NOT Report a Vulnerability?

  • You need help tuning Testsigma components for security.
  • You need help applying security-related updates.
  • Your issue is not security-related.

Security Vulnerability Response

Each report is acknowledged and analyzed by the project's maintainers and the security team within 3 working days. The reporter will be kept updated at every stage of the issue's analysis and resolution (triage -> fix -> release).

Public Disclosure Timing

A public disclosure date is negotiated by the Testsigma product security team and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. We expect the time-frame between a report to a public disclosure to typically be in the order of 7 days. The Testsigma maintainers and the security team will take the final call on setting a disclosure date.

(Some sections have been inspired and adapted from https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md).