-
Notifications
You must be signed in to change notification settings - Fork 55
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: add a security policy document (#504)
Document the security policy for the Pebble project. See also [SEC0026](https://docs.google.com/document/d/1RolsiWCWhM-sVmHFjLt-Mq5yKcgQJ8GLXssGJREjSL0/edit).
- Loading branch information
1 parent
9d7e74e
commit 999e48b
Showing
1 changed file
with
38 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# Security policy | ||
|
||
## Supported versions | ||
|
||
Security updates will be released for all major versions that have had releases in the last year, | ||
and for all versions of Pebble that are bundled with [Juju](https://github.com/juju/juju) | ||
releases that [receive security updates](https://juju.is/docs/juju/roadmap). | ||
|
||
## Reporting a vulnerability | ||
|
||
Please provide a description of the issue, the steps you took to | ||
create the issue, affected versions, and, if known, mitigations for | ||
the issue. | ||
|
||
The easiest way to report a security issue is through | ||
[GitHub's security advisory for this project](https://github.com/canonical/pebble/security/advisories/new). See | ||
[Privately reporting a security | ||
vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) | ||
for instructions on reporting using GitHub's security advisory feature. | ||
|
||
The Pebble GitHub admins will be notified of the issue and will work with you | ||
to determine whether the issue qualifies as a security issue and, if so, in | ||
which component. We will then figure out a fix, get a CVE | ||
assigned, and coordinate the release of the fix. | ||
|
||
You may also send email to [email protected]. Email may optionally be | ||
encrypted to OpenPGP key | ||
[`4072 60F7 616E CE4D 9D12 4627 98E9 740D C345 39E0`](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x407260f7616ece4d9d12462798e9740dc34539e0) | ||
|
||
If you have a deadline for public disclosure, please let us know. | ||
Our vulnerability management team intends to respond within 3 working | ||
days of your report. This project aims to resolve all vulnerabilities | ||
within 90 days. | ||
|
||
The [Ubuntu Security disclosure and embargo | ||
policy](https://ubuntu.com/security/disclosure-policy) contains more | ||
information about what you can expect when you contact us, and what we | ||
expect from you. |