Skip to content

Latest commit

 

History

History
24 lines (15 loc) · 1.27 KB

SECURITY.md

File metadata and controls

24 lines (15 loc) · 1.27 KB

Security Policy

Supported Versions

Unless with a contrary advisory, only the last version of Zero-TOTP and Zero-TOTP rescue are supported and security updated.

You can find the version in the release section of each project's repository.

Reporting a Vulnerability

Report process

If you believe you have discovered a security vulnerability in Zero-TOTP, please report it to us by emailing developer@zero-totp.com. We ask that you do not report security vulnerabilities directly on GitHub, public forums, or any other public channel.

Please, encrypt all the sensitve information with the following PGP key

Vulnerability evaluation

We evaluate reported vulnerabilities based on the following criteria:

  1. Impact: The severity and potential impact of the vulnerability.
  2. Likelihood: The likelihood of the vulnerability being exploited.
  3. Complexity: The complexity of exploiting the vulnerability.

You can use a CVSS 3 to evaluate the criticity of your findings. All findings with a CVSS score below 3 will not be necessarily treated and/or with an increased delay. Of course, most critical vulnerabilities will be treated before everything else, while the investigation is done.