Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

docs(contrib): add security.md #4722

Merged
merged 3 commits into from
Jun 8, 2022
Merged

docs(contrib): add security.md #4722

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a988afb
docs(contrib): add security.md
schristoff May 4, 2022
4182194
updated with suggestions
schristoff May 16, 2022
f37ccae
add when to/when not to submit issue
schristoff Jun 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Open Service Mesh Security Policies and Procedures

This document outlines security procedures and general policies for the
Open Service Mesh open source project as found on https://github.com/openservicemesh/osm.

* [Reporting a Vulnerability](#reporting-a-vulnerability)
* [Disclosure Policy](#disclosure-policy)

## Reporting a Vulnerability

**IMPORTANT: Please do not open public issues on GitHub for security vulnerabilities**

The OSM team and community take all security vulnerabilities
seriously. Thank you for improving the security of our open source
software. We appreciate your efforts and responsible disclosure and will
make every effort to acknowledge your contributions.

Report security vulnerabilities by emailing the OSM security team at:

[email protected]

Please provide the following:

- Individual's identity and organization
- Detailed description of the issue and the consequences of the vulnerability
- Estimation of the attack surface
- 3rd party software, if any, used with OSM
- Detailed steps to reproduce the issue

A maintainer will acknowledge your email and send a detailed
response within 3 business days indicating the next steps in
handling your report. After the initial reply to your report, the team
will endeavor to keep you informed of the progress towards a fix and
full announcement, and may ask for additional information or guidance.

Report potential security issues, or known security issues in a
third party modules by opening a Github Issue.

## Disclosure Policy

When the team receives a security bug report, they will assign it
to someone to be a primary handler. This person will coordinate the fix
and release process, involving the following steps:

* Confirm the problem and determine the affected versions.
* Audit code to find any potential similar problems.
* Prepare fixes for all releases still under maintenance. These fixes
will be released as fast as possible.

*Inspired by the [Atomist Security Template](https://github.com/atomist/samples/blob/master/SECURITY.md)*