-
Notifications
You must be signed in to change notification settings - Fork 212
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(chore): Add security documentation (#3047)
* (chore): Add security documentation Signed-off-by: schristoff <28318173+schristoff@users.noreply.github.com> --------- Signed-off-by: schristoff <28318173+schristoff@users.noreply.github.com>
- Loading branch information
1 parent
e7fdd77
commit 40af48c
Showing
3 changed files
with
83 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| # Security policy | ||
|
|
||
| ## Communication | ||
|
|
||
| We will publish known vulnerabilities through a [GitHub Security Advisory](https://github.com/getporter/porter/security/advisories) once they have been addressed to inform the community of their potential scope, impact, and mitigation. | ||
|
|
||
| ## Reporting a vulnerability | ||
|
|
||
| Porter and its maintainers takes the security of the project seriously, and we appreciate your efforts to responsibly disclose your findings to us. | ||
|
|
||
| > **Please do not report security vulnerabilities through public GitHub issues.** | ||
| Instead, please report them through our [private vulnerability reporting](https://github.com/getporter/porter/security/advisories/new) form. | ||
|
|
||
| It should contain: | ||
| * description of the problem | ||
| * precise and detailed steps (include screenshots) that created the | ||
| problem | ||
| * the affected version(s) | ||
| * any possible mitigations, if known | ||
| You will receive a reply from one of the maintainers within **3 days** | ||
| acknowledging receipt of the email. | ||
|
|
||
| You may be contacted by a Porter project maintainerto further discuss the reported item. | ||
| Please bear with us as we seek to understand the breadth and scope of the | ||
| reported problem, recreate it, and confirm if there is a vulnerability | ||
| present. | ||
|
|
||
|
|
||
| This project follows a **10 disclosure timeline**. Refer to our [embargo policy](./embargo-policy.md) for more information. | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| Porter remains in the process of getting to a stable v1.0 release, and as such does not currently provide a long-term supported version. | ||
| We make a good faith effort to respond to security issues in a timely manner and will release version updates as needed to address them. | ||
| Users should expect to upgrade to the latest release version to stay current on security updates. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Security Contacts | ||
|
|
||
| Defined below are the security persons of contact for this project. If you have | ||
| questions regarding the triaging and handling of incoming problems, they may be | ||
| contacted. | ||
|
|
||
| The following security contacts have agreed to abide by the [Embargo Policy](./embargo-policy.md) | ||
| and will be removed and replaced if found to be in violation of that agreement. | ||
|
|
||
| DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, USE THE | ||
| INSTRUCTIONS AT [VULNERABILITY REPORTING FORM](https://github.com/getporter/porter/security/advisories/new) | ||
|
|
||
| Security Contacts: | ||
|
|
||
| * [Sarah Christoff](https://github.com/schristoff) | ||
| * [Steven Gettys](https://github.com/sgettys) | ||
| * [Brian DeGeeter](https://github.com/bdegeeter) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Embargo Policy | ||
|
|
||
| This policy forbids members of this project's [security contacts](./SECURITY_CONTACTS.md) and others | ||
| defined below from sharing information outside of the security contacts and this | ||
| listing without need-to-know and advance notice. | ||
|
|
||
| The information members and others receive from the list defined below must: | ||
|
|
||
| * not be made public, | ||
| * not be shared, | ||
| * not be hinted at | ||
| * must be kept confidential and close held | ||
|
|
||
| Except with the list's explicit approval. This holds true until the public | ||
| disclosure date/time that was agreed upon by the list. | ||
|
|
||
| If information is inadvertently shared beyond what is allowed by this policy, | ||
| you are REQUIRED to inform the [security contacts](./SECURITY_CONTACTS.md) of exactly what | ||
| information leaked and to whom. A retrospective will take place after the leak | ||
| so we can assess how to not make this mistake in the future. | ||
|
|
||
| Violation of this policy will result in the immediate removal and subsequent | ||
| replacement of you from this list or the Security Contacts. | ||
|
|
||
| ## Disclosure Timeline | ||
|
|
||
| This project sustains a **10 disclosure timeline** to ensure we provide a | ||
| quality, tested release. On some occasions, we may need to extend this timeline | ||
| due to complexity of the problem, lack of expertise available, or other reasons. | ||
| Submitters will be notified if an extension occurs. |