From 2182c5a6f9ac31b87d41663217c3cd1098209923 Mon Sep 17 00:00:00 2001 From: itzQuicksilver <96615931+QuicksilverYT@users.noreply.github.com> Date: Wed, 10 Jul 2024 22:20:12 +0530 Subject: [PATCH] Update SECURITY.md --- SECURITY.md | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a773ec0afddc..2503b1aba235 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,49 @@ # Security Policy ## Reporting a Vulnerability -To report a vulnerability in the Kong gateway, Insomnia or other Kong software, or know of a publicly disclosed security vulnerability, please immediately let us know by emailing security@konghq.com. -For more detailed information, please see [Kong's Security Update Process](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/kong-security-update-process/#reporting-a-vulnerability). +Ensuring the security and integrity of Kong's software products, including the Kong Gateway and Insomnia, is our top priority. We greatly appreciate the community's efforts in identifying and reporting potential security vulnerabilities. If you discover or know of a vulnerability, we urge you to follow the guidelines below for reporting it. + +### How to Report a Vulnerability + +1. **Email Notification**: + - Send an email to [security@konghq.com](mailto:security@konghq.com) with the details of the vulnerability. + - Include a detailed description of the issue, including: + - The software version affected. + - Steps to reproduce the vulnerability. + - Any potential impact on the system. + - Any proof of concept or relevant code snippets. + +2. **Publicly Disclosed Vulnerabilities**: + - If you come across a publicly disclosed security vulnerability that affects Kong software, notify us immediately using the same email address [security@konghq.com](mailto:security@konghq.com). + - Provide links to the public disclosure and any additional context that might help us understand the impact and severity. + +3. **Confidentiality**: + - We request you to keep the details of the vulnerability confidential until we have verified and addressed the issue. + - We aim to respond promptly and will work with you to understand and mitigate the vulnerability. + +4. **Acknowledgment and Rewards**: + - We acknowledge the efforts of researchers and contributors who help us improve our security posture. + - In certain cases, we may offer a bounty or other form of recognition as a token of our appreciation. + +### What Happens Next + +Upon receiving your report, we will: + +1. **Acknowledge Receipt**: + - Confirm that we have received your report within 24 hours. + +2. **Assessment**: + - Our security team will review the reported issue to verify its validity and impact. + +3. **Mitigation**: + - If the vulnerability is confirmed, we will work on a fix and plan for a secure release. + - We may reach out to you for further information or clarification during this process. + +4. **Update and Disclosure**: + - Once a fix is developed, we will include it in our software updates. + - We will also publish a security advisory to inform our users about the vulnerability, its impact, and the mitigation steps taken. + +For more detailed information on our vulnerability handling and security update process, please visit [Kong's Security Update Process](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/kong-security-update-process/#reporting-a-vulnerability). + +Your assistance and responsible disclosure are critical to helping us maintain the highest security standards. Thank you for your cooperation and support.