forked from mystiq/dex
Merge pull request #2090 from dexidp/security-policy
Initial security policy
This commit is contained in:
commit
674631c9ab
2 changed files with 26 additions and 6 deletions
24
.github/SECURITY.md
vendored
Normal file
24
.github/SECURITY.md
vendored
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
# Security Policy
|
||||||
|
|
||||||
|
## Reporting a vulnerability
|
||||||
|
|
||||||
|
To report a vulnerability, send an email to [cncf-dex-maintainers@lists.cncf.io](mailto:cncf-dex-maintainers@lists.cncf.io)
|
||||||
|
detailing the issue and steps to reproduce. The reporter(s) can expect a
|
||||||
|
response within 48 hours acknowledging the issue was received. If a response is
|
||||||
|
not received within 48 hours, please reach out to any maintainer directly
|
||||||
|
to confirm receipt of the issue.
|
||||||
|
|
||||||
|
## Review Process
|
||||||
|
|
||||||
|
Once a maintainer has confirmed the relevance of the report, a draft security
|
||||||
|
advisory will be created on Github. The draft advisory will be used to discuss
|
||||||
|
the issue with maintainers, the reporter(s).
|
||||||
|
If the reporter(s) wishes to participate in this discussion, then provide
|
||||||
|
reporter Github username(s) to be invited to the discussion. If the reporter(s)
|
||||||
|
does not wish to participate directly in the discussion, then the reporter(s)
|
||||||
|
can request to be updated regularly via email.
|
||||||
|
|
||||||
|
If the vulnerability is accepted, a timeline for developing a patch, public
|
||||||
|
disclosure, and patch release will be determined. The reporter(s) are expected
|
||||||
|
to participate in the discussion of the timeline and abide by agreed upon dates
|
||||||
|
for public disclosure.
|
|
@ -102,13 +102,9 @@ All changes or deprecations of connector features will be announced in the [rele
|
||||||
* Client libraries
|
* Client libraries
|
||||||
* [Go][go-oidc]
|
* [Go][go-oidc]
|
||||||
|
|
||||||
## Reporting a security vulnerability
|
## Reporting a vulnerability
|
||||||
|
|
||||||
Due to their public nature, GitHub and mailing lists are NOT appropriate places
|
Please see our [security policy](.github/SECURITY.md) for details about reporting vulnerabilities.
|
||||||
for reporting vulnerabilities.
|
|
||||||
|
|
||||||
Please email the [maintainers list](mailto:cncf-dex-maintainers@lists.cncf.io) to report issues that may
|
|
||||||
be security-related.
|
|
||||||
|
|
||||||
## Getting help
|
## Getting help
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue