From 3757de7173749eb263d024b6987bf0bc22e63e6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=ABss=20Treinis?= Date: Wed, 11 Mar 2020 11:05:41 +0100 Subject: [PATCH] Add issue reporting note and vulnerability disclosure policy --- README.md | 6 ++++++ SECURITY.md | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index 92fc9fe..60bb4eb 100644 --- a/README.md +++ b/README.md @@ -242,6 +242,12 @@ is planned for level 2 expansion: A side-goal of API level 2 is to retain compatibility with API level 1, meaning, if at all possible, all scripts written for API level 1 will work just fine with API level 2 compatible libkafe. +## Reporting issues + +To report a bug or request a feature, open a ticket at [https://github.com/libkafe/kafe/issues](https://github.com/libkafe/kafe/issues). + +For security related issues, please follow our [Vulnerability Disclosure Policy](./SECURITY.md). + ## History Kafe is nearly complete rewrite of OPM (Optional Package Manager) - a command-line tool I wrote several years ago for my diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..7fd6944 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,40 @@ +# Kafe Vulnerability Disclosure Policy + +We take the security of our systems seriously, and we value the security community. The disclosure of security +vulnerabilities helps us ensure the security and privacy of our users. + +### Guidelines +We require that all researchers: +* Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, + and destruction of data during security testing; +* Perform research only within the scope set out below; +* Use the identified communication channels to report vulnerability information to us; and +* Keep information about any vulnerabilities you’ve discovered confidential between yourself and Kafe developers + until we’ve had 60 days to resolve the issue. + +If you follow these guidelines when reporting an issue to us, we commit to: +* Not pursue or support any legal action related to your research; +* Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within + 72 hours of submission); +* Recognize your contribution on our source repository, if you are the first to report the issue and we make a code or + configuration change based on the issue. + +### Scope +* Source code made available at https://github.com/libkafe/kafe +* Binary builds made available at https://github.com/libkafe/kafe + +### Out of scope +Any services hosted by 3rd party providers and services are excluded from scope. These services include: + +* GitHub +* Managed Kafe services or 3rd party software embedding kafe or libkafe + +### How to report a security vulnerability? +If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing +mrtreinis@gmail.com. Please include the following details with your report: + +* Description of the location and potential impact of the vulnerability; +* A detailed description of the steps required to reproduce the vulnerability (POC scripts, etc.); and +* Your name/handle and a link for recognition in our repository. + +You can also share a private repository with proof of concept to the exploit directly with https://github.com/Addvilz \ No newline at end of file