diff --git a/SECURITY.md b/SECURITY.md index 2eba0a1b..4b190778 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,13 +1,13 @@ -# Security Policy +# Security policy -## Supported Versions +## Supported versions | Version | Supported | | ------- | ------------------ | | 2.4.x | :white_check_mark: | | <2.4.x | :x: | -## Reporting a Vulnerability +## Reporting a vulnerability Please report any security issues via email to security@getontracks.org. If you don't get a reply for your email, resend the email after one week. @@ -19,3 +19,45 @@ You can (and should) encrypt the email you send with OpenGPG key Unfortunately Tracks is not part of a bug bounty program, but we do provide appropriate credits for disclosing security issues. + +## Evaluating and fixing a vulnerability + +When a security vulnerability is reported to the maintainers, the +maintainers first validate the vulnerability and preliminarily estimate +the risk caused by the vulnerability. + +Any security issue is kept strictly confidential until a fix is made and +validated by the maintainers and, if necessary, the reporter. Any fixes +are not committed to the public repository before publishing. + +When a fix has been validated, the final risk assessment of the issue is +done based on the latest version of the CVSS system and the criteria below. + +## Security advisories + +A security advisory is a public announcement managed by the maintainers +which informs instance maintainers about a security problem in the software +and the steps instance maintainers should take to address it. On release it +is published widely so that instance maintainers can address it quickly. + +If necessary, the maintainers can decide to issue a pre-announcement +informing the instance maintainers of an upcoming security advisory. This +is done when timely addressing of the vulnerability is very important due +to the high risk caused by it. + +Security advisories are published for security vulnerabilities that + +* Are caused by code included in the software repository (not any libraries + or other code not itself in the repository), +* Exist in stable or release candidate releases (not alpha or beta + releases or unreleased code), +* Are exploitable either without logging in or without admin privileges, and +* Affect either the whole instance or other users than the one running the + exploit. + +## Other vulnerabilities + +If the vulnerability does not warrant a security advisory, the vulnerability +is fixed and released with a note in the release notes of the release. +Details of the vulnerability as well as the risk assessment and grounds for +not publishing a security advisory are included.