Andreas/tracks
1
0
Fork 0
mirror of https://github.com/TracksApp/tracks.git synced 2025-09-22 05:50:47 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #2489 from TracksApp/security_policy

Browse source 
Add security policy
This commit is contained in:
Jyri-Petteri Paloposki 2020-09-24 11:24:19 +03:00 committed by GitHub
commit ac7afb9a0c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 45 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

48
SECURITY.md
View file

@ -1,13 +1,13 @@
# Security Policy # Security policy
## Supported Versions ## Supported versions
| Version | Supported | | Version | Supported |
| ------- | ------------------ | | ------- | ------------------ |
| 2.4.x | :white_check_mark: | | 2.4.x | :white_check_mark: |
| <2.4.x | :x: | | <2.4.x | :x: |
## Reporting a Vulnerability ## Reporting a vulnerability
Please report any security issues via email to security@getontracks.org. Please report any security issues via email to security@getontracks.org.
If you don't get a reply for your email, resend the email after one week. If you don't get a reply for your email, resend the email after one week.
@ -19,3 +19,45 @@ You can (and should) encrypt the email you send with OpenGPG key
Unfortunately Tracks is not part of a bug bounty program, but we do provide Unfortunately Tracks is not part of a bug bounty program, but we do provide
appropriate credits for disclosing security issues. appropriate credits for disclosing security issues.
## Evaluating and fixing a vulnerability
When a security vulnerability is reported to the maintainers, the
maintainers first validate the vulnerability and preliminarily estimate
the risk caused by the vulnerability.
Any security issue is kept strictly confidential until a fix is made and
validated by the maintainers and, if necessary, the reporter. Any fixes
are not committed to the public repository before publishing.
When a fix has been validated, the final risk assessment of the issue is
done based on the latest version of the CVSS system and the criteria below.
## Security advisories
A security advisory is a public announcement managed by the maintainers
which informs instance maintainers about a security problem in the software
and the steps instance maintainers should take to address it. On release it
is published widely so that instance maintainers can address it quickly.
If necessary, the maintainers can decide to issue a pre-announcement
informing the instance maintainers of an upcoming security advisory. This
is done when timely addressing of the vulnerability is very important due
to the high risk caused by it.
Security advisories are published for security vulnerabilities that
* Are caused by code included in the software repository (not any libraries
or other code not itself in the repository),
* Exist in stable or release candidate releases (not alpha or beta
releases or unreleased code),
* Are exploitable either without logging in or without admin privileges, and
* Affect either the whole instance or other users than the one running the
exploit.
## Other vulnerabilities
If the vulnerability does not warrant a security advisory, the vulnerability
is fixed and released with a note in the release notes of the release.
Details of the vulnerability as well as the risk assessment and grounds for
not publishing a security advisory are included.