-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into proposals/move-trestle-sdk
- Loading branch information
Showing
1 changed file
with
48 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# OSCAL Compass Security Policy | ||
|
||
This policy describes OSCAL Compass security and disclosure information. | ||
|
||
## Reporting a vulnerability | ||
|
||
To report a vulnerability, either: | ||
|
||
1. Report it on Github directly you can follow the procedure described | ||
[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) | ||
and: | ||
|
||
- Navigate to the security tab (e.g. `trestle` [security tab](https://github.com/oscal-compass/compliance-trestle/security)) on the repository | ||
- Click on 'Advisories' | ||
- Click on 'Report a vulnerability' | ||
- Detail the issue, see below for some examples of info that might be | ||
useful including. | ||
|
||
2. Send an email to `[email protected]` detailing the issue and impacted project(s). | ||
|
||
### What to include | ||
|
||
Make sure to include all the details that might help maintainers better understand and prioritize it, for example here is a list of details that might be worth adding: | ||
|
||
* Versions of impacted project(s) used | ||
* Detailed list of steps to reproduce the vulnerability | ||
* Consequences of the vulnerability | ||
* Severity you feel should be attributed to the vulnerabilities | ||
* Screenshots or logs | ||
|
||
## Public Disclosure | ||
|
||
Vulnerabilities once fixed will be shared publicly as a Github [security | ||
advisory](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories) | ||
and mentioned in the fixed versions' release notes. | ||
|
||
## Supported Versions | ||
|
||
All OSCAL Compass projects follow [Semantic Versioning](https://semver.org/) terminology and are expressed as x.y.z: | ||
- where x is the major version | ||
- y is the minor version | ||
- and z is the patch version | ||
|
||
Security fixes are typically addressed in the main branch and may be backported to one prior minor release depending on severity and feasibility. | ||
|
||
## Acknowledgments | ||
|
||
Parts of this policy were adapted from the Crossplane [security policy](https://github.com/crossplane/crossplane/blob/master/SECURITY.md) |