From cc8d8100e9ac12367509e8da67ec2d6699c5e8ac Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Thu, 7 Mar 2024 10:35:50 -0300 Subject: [PATCH] docs: add security policy Signed-off-by: Felipe Zipitria --- SECURITY.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..dea38130 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,33 @@ +# Security Policy + +This document includes information about the vulnerability reporting, patch, +release, and disclosure processes, as well as general security posture. + +# Reporting Security Issues + +Vulnerabilities are reported privately via GitHub's +[Security Advisories](https://docs.github.com/en/code-security/security-advisories) +feature. Please use the following link to submit your vulnerability: +[Report a vulnerability](https://github.com/coreruleset/go-ftw/security/advisories/new) + +Please see +[Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) +for more information on how to submit a vulnerability using GitHub's interface. + +Our vulnerability management team will respond within 3 working days of your +email. If the issue is confirmed as a vulnerability, we will open a +Security Advisory and acknowledge your contributions as part of it. This project +follows a 90 day disclosure timeline. + + +### When Should I Report a Vulnerability? + +- You think you discovered a potential security vulnerability in go-ftw +- You are unsure how a vulnerability affects go-ftw +- You think you discovered a vulnerability in another project that go-ftw depends on + - For projects with their own vulnerability reporting and disclosure process, please report it directly there + +### When Should I NOT Report a Vulnerability? + +- You need help applying security related updates +- Your issue is not security related