You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 lines
1.5 KiB
Markdown
37 lines
1.5 KiB
Markdown
3 years ago
|
# Security Policies and Procedures
|
||
|
|
|
||
|
|
This document outlines security procedures and general policies for all
|
||
|
|
ESSENTIAL KAOS projects.
|
||
|
|
|
||
|
|
* [Reporting a Bug](#reporting-a-bug)
|
||
|
|
* [Disclosure Policy](#disclosure-policy)
|
||
|
|
|
||
|
|
## Reporting a Bug
|
||
|
|
|
||
|
|
The ESSENTIAL KAOS team and community take all security bugs in our projects
|
||
|
|
very seriously. Thank you for improving the security of our project. We
|
||
|
|
appreciate your efforts and responsible disclosure and will make every effort
|
||
|
|
to acknowledge your contributions.
|
||
|
|
|
||
|
|
Report security bugs by emailing our security team at security@essentialkaos.com.
|
||
|
|
|
||
|
|
The security team will acknowledge your email within 48 hours and will send a
|
||
|
|
more detailed response within 48 hours, indicating the next steps in handling
|
||
|
|
your report. After the initial reply to your report, the security team will
|
||
|
|
endeavor to keep you informed of the progress towards a fix and full
|
||
|
|
announcement, and may ask for additional information or guidance.
|
||
|
|
|
||
|
|
Report security bugs in third-party dependencies to the person or team
|
||
|
|
maintaining the dependencies.
|
||
|
|
|
||
|
|
## Disclosure Policy
|
||
|
|
|
||
|
|
When the security team receives a security bug report, they will assign it to a
|
||
|
|
primary handler. This person will coordinate the fix and release process,
|
||
|
|
involving the following steps:
|
||
|
|
|
||
|
|
* Confirm the problem and determine the affected versions;
|
||
|
|
* Audit code to find any similar potential problems;
|
||
|
|
* Prepare fixes for all releases still under maintenance. These fixes will be
|
||
|
|
released as fast as possible.
|