From 594fa8b38047350eddb94489588d15b116a3022e Mon Sep 17 00:00:00 2001 From: Jennifer Power Date: Wed, 7 Aug 2024 14:33:19 -0400 Subject: [PATCH] docs: adds examples of information to include with the report Signed-off-by: Jennifer Power --- SECURITY.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 914e9ae..0b5bed5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -18,6 +18,16 @@ To report a vulnerability, either: 2. Send an email to `oscal-compass-oversight@googlegroups.com` detailing the issue and impacted project(s). +### What to include + +Make sure to include all the details that might help maintainers better understand and prioritize it, for example here is a list of details that might be worth adding: + +* Versions of impacted project(s) used +* Detailed list of steps to reproduce the vulnerability +* Consequences of the vulnerability +* Severity you feel should be attributed to the vulnerabilities +* Screenshots or logs + ## Public Disclosure Vulnerabilities once fixed will be shared publicly as a Github [security