Merge pull request #5 from inextensodigital/chore-add-security-template

hadeli · web-flow · commit ce8275a67042 · 2020-08-20T16:13:51.000+02:00
Chore: Add security template.
diff --git a/security.md b/security.md
@@ -0,0 +1,34 @@
+## Security
+
+We take the security of our software products and components seriously, which includes all source code repositories managed through our [In Extenso Digital's GitHub organization](https://github.com/inextensodigital).
+
+If you believe you have found a security vulnerability in any In Extenso Digital's repository that meets Wikipedia's definition of a security vulnerability ([English version](https://en.wikipedia.org/wiki/Vulnerability_(computing)), [French version](https://fr.wikipedia.org/wiki/Vuln%C3%A9rabilit%C3%A9_(informatique))), please report it to us as described below.
+
+## Reporting security vulnerability Issues
+
+:warning: **Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, **please report them by email** to [rssi@inextenso.digital](mailto:rssi@inextenso.digital).
+
+You should receive a response as soon as possible. If for some reason you do not, please follow up via email to our  [Administrator Team](mailto:admin@inextenso.digital) to ensure we received your original message.
+
+For private repositories, you can also send an email or directly use the dedicated issue template for security vulnerability.
+
+:bulb: In any ways, please include the requested information listed below (**as much as you can provide**) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. Denial of service, Elevation of privilege, Information disclosure, Remote Code Execution, Security feature bypass, buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Step-by-step instructions to reproduce the issue, including any special configuration required to reproduce
+  * (if possible) Proof-of-concept or exploit code
+  * Description and Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Preferred Languages
+
+We prefer all communications to be in English, but if you are not comfortable, French is acceptable too.
+
+## Policy
+
+In Extenso Digital follows the principle of [Microsoft's Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).
