Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: creates an initial SECURITY.md policy #60

Merged
merged 4 commits into from
Aug 30, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# OSCAL Compass Security Policy

This policy describes OSCAL Compass security and disclosure information.

## Reporting a vulnerability

To report a vulnerability, either:

1. Report it on Github directly you can follow the procedure described
[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
and:

- Navigate to the security tab (e.g. `trestle` [security tab](https://github.com/oscal-compass/compliance-trestle/security)) on the repository
- Click on 'Advisories'
- Click on 'Report a vulnerability'
- Detail the issue, see below for some examples of info that might be
useful including.

2. Send an email to `[email protected]` detailing the issue and impacted project(s).

### What to include

Make sure to include all the details that might help maintainers better understand and prioritize it, for example here is a list of details that might be worth adding:

* Versions of impacted project(s) used
* Detailed list of steps to reproduce the vulnerability
* Consequences of the vulnerability
* Severity you feel should be attributed to the vulnerabilities
* Screenshots or logs

## Public Disclosure

Vulnerabilities once fixed will be shared publicly as a Github [security
advisory](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/about-repository-security-advisories)
and mentioned in the fixed versions' release notes.

## Supported Versions

All OSCAL Compass projects follow [Semantic Versioning](https://semver.org/) terminology and are expressed as x.y.z:
- where x is the major version
- y is the minor version
- and z is the patch version

Security fixes are typically addressed in the main branch and may be backported to one prior minor release depending on severity and feasibility.

## Acknowledgments

Parts of this policy were adapted from the Crossplane [security policy](https://github.com/crossplane/crossplane/blob/master/SECURITY.md)