Skip to content

Commit

Permalink
Merge pull request #2489 from TracksApp/security_policy
Browse files Browse the repository at this point in the history
Add security policy
  • Loading branch information
ZeiP authored Sep 24, 2020
2 parents 273de98 + 5fc1fec commit ac7afb9
Showing 1 changed file with 45 additions and 3 deletions.
48 changes: 45 additions & 3 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Security Policy
# Security policy

## Supported Versions
## Supported versions

| Version | Supported |
| ------- | ------------------ |
| 2.4.x | :white_check_mark: |
| <2.4.x | :x: |

## Reporting a Vulnerability
## Reporting a vulnerability

Please report any security issues via email to [email protected].
If you don't get a reply for your email, resend the email after one week.
Expand All @@ -19,3 +19,45 @@ You can (and should) encrypt the email you send with OpenGPG key

Unfortunately Tracks is not part of a bug bounty program, but we do provide
appropriate credits for disclosing security issues.

## Evaluating and fixing a vulnerability

When a security vulnerability is reported to the maintainers, the
maintainers first validate the vulnerability and preliminarily estimate
the risk caused by the vulnerability.

Any security issue is kept strictly confidential until a fix is made and
validated by the maintainers and, if necessary, the reporter. Any fixes
are not committed to the public repository before publishing.

When a fix has been validated, the final risk assessment of the issue is
done based on the latest version of the CVSS system and the criteria below.

## Security advisories

A security advisory is a public announcement managed by the maintainers
which informs instance maintainers about a security problem in the software
and the steps instance maintainers should take to address it. On release it
is published widely so that instance maintainers can address it quickly.

If necessary, the maintainers can decide to issue a pre-announcement
informing the instance maintainers of an upcoming security advisory. This
is done when timely addressing of the vulnerability is very important due
to the high risk caused by it.

Security advisories are published for security vulnerabilities that

* Are caused by code included in the software repository (not any libraries
or other code not itself in the repository),
* Exist in stable or release candidate releases (not alpha or beta
releases or unreleased code),
* Are exploitable either without logging in or without admin privileges, and
* Affect either the whole instance or other users than the one running the
exploit.

## Other vulnerabilities

If the vulnerability does not warrant a security advisory, the vulnerability
is fixed and released with a note in the release notes of the release.
Details of the vulnerability as well as the risk assessment and grounds for
not publishing a security advisory are included.

0 comments on commit ac7afb9

Please sign in to comment.