Create Security Policy

Add instructions about security vulnerability reporting
This commit is contained in:
Ikel Atomig 2024-05-26 06:55:31 +00:00 committed by GitHub
parent 7b78b884c7
commit f63310cd68
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 29 additions and 0 deletions

29
SECURITY.md Normal file
View File

@ -0,0 +1,29 @@
# Security Policy
## Supported Versions
We only support the latest versions and older versions are no longer supported by us. Support ends for the existing version as soon as a new release is done.
## Reporting a Vulnerability
- The Version affected
- The commit which knowingly or unknowingly brings the vulnerability
- How to reproduce it - Either a detailed write up or Video as the reporter prefers but details are important.
- Possible or full scale solutions that the reporter as come up with to fix them and shouldn't affect other functions for a long term.
- The time you have taken to find the vulnerability
- Depending the level of it, you can choose to make an immediate PR or being high, recommeneded to send them privately to us.
We prefer this in the format of PDF, write in an editor of your choice. For referrencing files, please zip all the files. And reference mark them like on wikipedia for sources.
If the vulnerability is too high, it is suggested to report it to us privately in the matrix network (preferred for faster response) directly to developers or mail to official contact email and ping the team members on Matrix channel.
We will assess and after accepting your vulnerability report we will work on it and release the fix provided by you, if not, made by us. If it is declined, you will get a detailed report back from us on why.
If vulnerability is high, and reported privately, we will tell about them in a later release publicly so that users are updated and secure by then. Even if incase we forget, we will disclose if another person what was this commit about or something. Even if not, then, We will disclose it in our annual vulnerability transparency report.
No software is secure and could be hacked. We try the best to write good code with safety. It would be great if you help us.
And there is bounty, If severity is too high, the team will consider awarding a amount from the donations it had received depending on your report. It's a community project, you do this as your wish. However, awarding the amount and how much amount is totally the decisions of the libredirect maintainers. So, don't get your hopes too high. We strive on community's donations that motivates us to better build the extension further.
Thanks for reporting vulnerabilities if any, Happy Hunting !