As part of a U.S. government agency, the General Services Administration (GSA)'s Technology Transformation Services (TTS) takes seriously our responsibility to protect the public's information, including financial and personal information, from unwarranted disclosure.
We want security researchers to feel comfortable reporting vulnerabilities they've discovered, as set out in this policy, so that we can fix them and keep our information safe.
This website runs on Federalist, which follows TTS’ Vulnerability disclosure policy.
The Open Web Application Security Project (OWASP) curates a list of the Top 10 Most Critical Web Application Security Risks, and Using Components with Known Vulnerabilities has been on it the past seven years. We can, should, and must keep our dependencies up-to-date.
GitHub’s automated security alerts are enabled for this repository. All security alerts should be acted upon within two days, as requested by the TTS Tech Portfolio.
Acting means:
- Updating the dependency to resolve the security issue.
- Removing the vulnerable dependency or moving to a different comparable dependency to avoid the security issue.
- Dismissing the security alert with “Risk is tolerable to this project."
- All security alerts dismissed in this way must be documented with a closed issue linking to the vulnerability and explaining why the risk is tolerable.