Skip to content
This repository has been archived by the owner on May 3, 2020. It is now read-only.

Security: JesperDramsch/COmig

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

We take the security of our project seriously. If you believe you have found a security vulnerability, please follow these steps:

DO NOT

  • Do not create a public GitHub issue for the vulnerability
  • Do not disclose the vulnerability publicly before it has been addressed
  • Do not take advantage of the vulnerability or problem you have discovered

DO

  1. Email our security team directly at [email protected]
  2. Include detailed information about the vulnerability:
    • The specific project and version(s) affected
    • Detailed description of the vulnerability
    • Steps to reproduce the issue
    • Potential impact of the vulnerability
    • Any potential solutions you've considered

What to Expect

  1. Initial Response: You will receive an initial response to your report within 48 hours.

  2. Status Updates:

    • We will investigate all legitimate reports and provide regular updates
    • We aim to keep you informed about our progress
    • We will work on a fix and coordinate the release process
  3. Disclosure Process:

    • The vulnerability will remain private until we release a fix
    • Once fixed, we will publish a security advisory
    • You will be credited in the advisory (unless you prefer to remain anonymous)

Bug Bounty Program

Currently, we do not offer a bug bounty program. However, we deeply appreciate the work of security researchers and will acknowledge your contribution in our release notes and security advisories.

Best Practices for Users

  1. Keep Updated:

    • Always use the latest version of our software
    • Regularly check for updates
  2. Security Configuration:

    • Use strong authentication methods
    • Implement the principle of least privilege
  3. Dependency Management:

    • Regularly update all dependencies
    • Monitor dependencies for security advisories
    • Use tools like dependabot to automate security updates

Security Implementation

Our project implements several security measures:

  1. Code Security:

    • All code is reviewed before merging
    • Regular security audits
    • Automated security scanning using CodeQL
    • Dependencies are automatically monitored for vulnerabilities
  2. Data Protection:

    • Encryption at rest and in transit
    • Secure data handling practices
    • Regular security assessments
    • Privacy by design

Incident Response

In case of a security incident:

  1. We will promptly investigate the issue
  2. Affected users will be notified within 72 hours
  3. We will provide clear instructions for any required user actions
  4. A post-mortem will be published after the incident is resolved

Thank you for helping to keep our project and our users secure!

There aren’t any published security advisories