|
1 | | -# Security issues |
| 1 | +# Security Policy |
2 | 2 |
|
3 | | -If you find a security issue and want to responsibly disclose it, please contact the following email addresses: |
| 3 | +## Reporting a Vulnerability |
4 | 4 |
|
5 | | -Wolf Vollprecht < [email protected]> |
6 | | - |
| 5 | +The mamba team takes security issues seriously. We appreciate your efforts to responsibly disclose your findings. |
7 | 6 |
|
8 | | -Thanks! |
| 7 | +### Reporting Process |
| 8 | + |
| 9 | +1. **DO NOT** open a public issue to report a security vulnerability. |
| 10 | +2. Instead, please email your findings to [[email protected]](mailto:[email protected]). |
| 11 | +3. Include as much information as possible to help us understand and reproduce the issue: |
| 12 | + - A detailed description of the vulnerability |
| 13 | + - Steps to reproduce the issue |
| 14 | + - Potential impact of the vulnerability |
| 15 | + - Any possible mitigations |
| 16 | + - Your name/handle if you'd like to be credited |
| 17 | + |
| 18 | +### What to Expect |
| 19 | + |
| 20 | +- You will receive an acknowledgment of your report within 48 hours. |
| 21 | +- The team will investigate and provide regular updates about the progress. |
| 22 | +- Once the issue is confirmed, we will work on a fix. |
| 23 | +- After the fix is released, we will publicly acknowledge the discovery (unless you prefer to remain anonymous). |
| 24 | + |
| 25 | +## Supported Versions |
| 26 | + |
| 27 | +We currently provide security updates for the following versions: |
| 28 | + |
| 29 | +| Version | Supported | |
| 30 | +| ------- | ------------------ | |
| 31 | +| 1.x.x | :white_check_mark: | |
| 32 | +| < 1.0 | :x: | |
| 33 | + |
| 34 | +## Security Best Practices |
| 35 | + |
| 36 | +When using mamba in your projects: |
| 37 | + |
| 38 | +1. Always use the latest stable version |
| 39 | +2. Regularly update your dependencies |
| 40 | +3. Use trustworthy package sources |
| 41 | +4. Follow the principle of least privilege when configuring mamba |
| 42 | + |
| 43 | +## Public Disclosure Process |
| 44 | + |
| 45 | +1. Security issues will be announced via GitHub Security Advisories |
| 46 | +2. Critical updates will also be announced on social media |
| 47 | +3. CVE IDs will be requested for significant security issues |
| 48 | + |
| 49 | +## Security-Related Configuration |
| 50 | + |
| 51 | +To ensure the secure use of mamba: |
| 52 | + |
| 53 | +- Verify package signatures when available |
| 54 | +- Use secure channels for package downloads |
| 55 | +- Implement appropriate access controls in your environment |
| 56 | + |
| 57 | +## Bug Bounty Program |
| 58 | + |
| 59 | +Currently, we do not operate a bug bounty program, but we deeply appreciate the work of security researchers who help keep mamba secure. |
| 60 | + |
| 61 | +## Previous Security Issues |
| 62 | + |
| 63 | +For a list of previously disclosed security vulnerabilities, please see our [Security Advisories](https://github.com/mamba-org/mamba/security/advisories) page. |
| 64 | + |
| 65 | +## Code of Conduct |
| 66 | + |
| 67 | +Please note that all security researchers must follow our [Code of Conduct](CODE_OF_CONDUCT.md) when reporting vulnerabilities. |
| 68 | + |
| 69 | +## Contact |
| 70 | + |
| 71 | +For any questions about this security policy: |
| 72 | + |
| 73 | +- Email: [info@quantstack,net ](mailto:[email protected]) |
0 commit comments