Skip to content

Commit

Permalink
Merge branch 'main' into proposals/move-trestle-sdk
Browse files Browse the repository at this point in the history
  • Loading branch information
jpower432 authored Aug 30, 2024
2 parents 80e34bf + 3e5fde4 commit e4170eb
Showing 1 changed file with 48 additions and 0 deletions.
48 changes: 48 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# OSCAL Compass Security Policy

This policy describes OSCAL Compass security and disclosure information.

## Reporting a vulnerability

To report a vulnerability, either:

1. Report it on Github directly you can follow the procedure described
[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
and:

- Navigate to the security tab (e.g. `trestle` [security tab](https://github.com/oscal-compass/compliance-trestle/security)) on the repository
- Click on 'Advisories'
- Click on 'Report a vulnerability'
- Detail the issue, see below for some examples of info that might be
useful including.

2. Send an email to `[email protected]` detailing the issue and impacted project(s).

### What to include

Make sure to include all the details that might help maintainers better understand and prioritize it, for example here is a list of details that might be worth adding:

* Versions of impacted project(s) used
* Detailed list of steps to reproduce the vulnerability
* Consequences of the vulnerability
* Severity you feel should be attributed to the vulnerabilities
* Screenshots or logs

## Public Disclosure

Vulnerabilities once fixed will be shared publicly as a Github [security
advisory](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)
and mentioned in the fixed versions' release notes.

## Supported Versions

All OSCAL Compass projects follow [Semantic Versioning](https://semver.org/) terminology and are expressed as x.y.z:
- where x is the major version
- y is the minor version
- and z is the patch version

Security fixes are typically addressed in the main branch and may be backported to one prior minor release depending on severity and feasibility.

## Acknowledgments

Parts of this policy were adapted from the Crossplane [security policy](https://github.com/crossplane/crossplane/blob/master/SECURITY.md)

0 comments on commit e4170eb

Please sign in to comment.