Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(SECURITY.md): update and made it more detailed #13360

Closed
wants to merge 1 commit into from
Closed

docs(SECURITY.md): update and made it more detailed #13360

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 45 additions & 2 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,49 @@
# Security Policy

## Reporting a Vulnerability
To report a vulnerability in the Kong gateway, Insomnia or other Kong software, or know of a publicly disclosed security vulnerability, please immediately let us know by emailing [email protected].

For more detailed information, please see [Kong's Security Update Process](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/kong-security-update-process/#reporting-a-vulnerability).
Ensuring the security and integrity of Kong's software products, including the Kong Gateway and Insomnia, is our top priority. We greatly appreciate the community's efforts in identifying and reporting potential security vulnerabilities. If you discover or know of a vulnerability, we urge you to follow the guidelines below for reporting it.

### How to Report a Vulnerability

1. **Email Notification**:
- Send an email to [[email protected]](mailto:[email protected]) with the details of the vulnerability.
- Include a detailed description of the issue, including:
- The software version affected.
- Steps to reproduce the vulnerability.
- Any potential impact on the system.
- Any proof of concept or relevant code snippets.

2. **Publicly Disclosed Vulnerabilities**:
- If you come across a publicly disclosed security vulnerability that affects Kong software, notify us immediately using the same email address [[email protected]](mailto:[email protected]).
- Provide links to the public disclosure and any additional context that might help us understand the impact and severity.

3. **Confidentiality**:
- We request you to keep the details of the vulnerability confidential until we have verified and addressed the issue.
- We aim to respond promptly and will work with you to understand and mitigate the vulnerability.

4. **Acknowledgment and Rewards**:
- We acknowledge the efforts of researchers and contributors who help us improve our security posture.
- In certain cases, we may offer a bounty or other form of recognition as a token of our appreciation.

### What Happens Next

Upon receiving your report, we will:

1. **Acknowledge Receipt**:
- Confirm that we have received your report within 24 hours.

2. **Assessment**:
- Our security team will review the reported issue to verify its validity and impact.

3. **Mitigation**:
- If the vulnerability is confirmed, we will work on a fix and plan for a secure release.
- We may reach out to you for further information or clarification during this process.

4. **Update and Disclosure**:
- Once a fix is developed, we will include it in our software updates.
- We will also publish a security advisory to inform our users about the vulnerability, its impact, and the mitigation steps taken.

For more detailed information on our vulnerability handling and security update process, please visit [Kong's Security Update Process](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/kong-security-update-process/#reporting-a-vulnerability).

Your assistance and responsible disclosure are critical to helping us maintain the highest security standards. Thank you for your cooperation and support.