-
Notifications
You must be signed in to change notification settings - Fork 31
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a security policy file, as noted in this issue: #307
- Loading branch information
1 parent
9833251
commit c9ff830
Showing
1 changed file
with
26 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Chayn Security Policy | ||
|
||
## Report a Vulnerability | ||
|
||
To report a security issue, please email [email protected] with the following information: | ||
|
||
1. **The Chayn product** with the vulnerability. | ||
2. **A short summary of the problem.** Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. | ||
3. Complete instructions, including specific configuration details, to **reproduce the vulnerability.** | ||
|
||
Optional information to include if applicable: | ||
- Propose a remediation suggestion if you have one. Make it clear that this is just a suggestion, as the maintainer might have a better idea to fix the issue. | ||
- Credit: List all researchers who contributed to this disclosure. If you found the vulnerability with a specific tool, you can also credit this tool. | ||
- Contact information for further collaboration. If the vulernerability is accepted, we will be happy to collaborate with you, and review your fix to make sure that all corner cases are covered. | ||
|
||
You will receive an email from us confirming we have received your bug report. | ||
|
||
## Disclosure Policy | ||
|
||
Chayn is dedicated to working closely with the open source community and with projects that are affected by a vulnerability, in order to protect users and ensure a coordinated disclosure. | ||
|
||
If the project team responds and agrees the issue poses a security risk, we will work with the project security team or maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing detailed information about the vulnerability. | ||
|
||
Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team. | ||
|
||
We **appreciate the hard work** contributors and maintainers put into fixing vulnerabilities and understand that sometimes more time is required to properly address an issue. We want project maintainers and contributors to succeed and because of that we are always open to discuss our disclosure policy to fit your specific requirements, when warranted. |