mirror of
https://github.com/TracksApp/tracks.git
synced 2025-09-21 21:40:48 +02:00
Merge pull request #2489 from TracksApp/security_policy
Add security policy
This commit is contained in:
Jyri-Petteri Paloposki
GitHub
commit
ac7afb9a0c
1 changed files with 45 additions and 3 deletions
48
SECURITY.md
48
SECURITY.md
|
|
@ -1,13 +1,13 @@
|
|||
# Security Policy
|
||||
# Security policy
|
||||
|
||||
## Supported Versions
|
||||
## Supported versions
|
||||
|
||||
| Version | Supported |
|
||||
| ------- | ------------------ |
|
||||
| 2.4.x | :white_check_mark: |
|
||||
| <2.4.x | :x: |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
## Reporting a vulnerability
|
||||
|
||||
Please report any security issues via email to security@getontracks.org.
|
||||
If you don't get a reply for your email, resend the email after one week.
|
||||
|
|
@ -19,3 +19,45 @@ You can (and should) encrypt the email you send with OpenGPG key
|
|||
|
||||
Unfortunately Tracks is not part of a bug bounty program, but we do provide
|
||||
appropriate credits for disclosing security issues.
|
||||
|
||||
## Evaluating and fixing a vulnerability
|
||||
|
||||
When a security vulnerability is reported to the maintainers, the
|
||||
maintainers first validate the vulnerability and preliminarily estimate
|
||||
the risk caused by the vulnerability.
|
||||
|
||||
Any security issue is kept strictly confidential until a fix is made and
|
||||
validated by the maintainers and, if necessary, the reporter. Any fixes
|
||||
are not committed to the public repository before publishing.
|
||||
|
||||
When a fix has been validated, the final risk assessment of the issue is
|
||||
done based on the latest version of the CVSS system and the criteria below.
|
||||
|
||||
## Security advisories
|
||||
|
||||
A security advisory is a public announcement managed by the maintainers
|
||||
which informs instance maintainers about a security problem in the software
|
||||
and the steps instance maintainers should take to address it. On release it
|
||||
is published widely so that instance maintainers can address it quickly.
|
||||
|
||||
If necessary, the maintainers can decide to issue a pre-announcement
|
||||
informing the instance maintainers of an upcoming security advisory. This
|
||||
is done when timely addressing of the vulnerability is very important due
|
||||
to the high risk caused by it.
|
||||
|
||||
Security advisories are published for security vulnerabilities that
|
||||
|
||||
* Are caused by code included in the software repository (not any libraries
|
||||
or other code not itself in the repository),
|
||||
* Exist in stable or release candidate releases (not alpha or beta
|
||||
releases or unreleased code),
|
||||
* Are exploitable either without logging in or without admin privileges, and
|
||||
* Affect either the whole instance or other users than the one running the
|
||||
exploit.
|
||||
|
||||
## Other vulnerabilities
|
||||
|
||||
If the vulnerability does not warrant a security advisory, the vulnerability
|
||||
is fixed and released with a note in the release notes of the release.
|
||||
Details of the vulnerability as well as the risk assessment and grounds for
|
||||
not publishing a security advisory are included.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue