diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..90ef9bf13 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,95 @@ +# Security Policy + +## Supported Versions + +Unless otherwise specified, we recommend to only use the most recent minor +version release. + +## Reporting a Vulnerability + +**Please do not file a public ticket** mentioning the vulnerability. + +To disclose a vulnerability, please submit a `Security Advisory` via the +`Security` tab on the impacted repository. + +If a repository doesn't have the proper security reporting set up, please email +`security@astria.org` to report the vulnerability. + +## Disclosure Policy + +Please first submit the vulnerability you discovered using the instructions in +[Reporting a Vulnerability](#reporting-a-vulnerability). Once you have done so, +you may share the details with third parties after either of the following, +whichever is sooner: + +- the vulnerability has been fixed and the Astria security team has permitted + disclosure; or +- 120 days have passed since your submission + +### Scope + +The scope of this security policy applies to the code repositories under the +[@astriaorg](https://github.com/astriaorg) Github org and any related +infrastructure. + +### Rewards + +Astria does not have a formal reward policy. +Researchers should not expect compensation for discovering vulnerabilities. +However, we are grateful for all legitimate vulnerability discoveries +and will acknowledge researchers after a fix has been widely deployed. + +### Official Communication Channel + +All security updates will be communicated via the security advisories in the +corresponding code repository that the vulnerability was reported. + +### Feedback on this Policy + +If you have suggestions for improving this policy, please submit a pull request. + +### What to Expect from Us + +When working with us according to this policy, you can expect us to: + +- Extend Safe Harbor protection for your vulnerability research related to this policy; +- Work with you to understand and validate your report, + including providing a timely initial response to the submission; +- Work to remediate discovered vulnerabilities in a timely manner; and +- Recognize your contribution if you're the first to report + a unique vulnerability that triggers a code or configuration change. + +### Ground Rules for Researchers + +To encourage vulnerability research and to avoid any confusion between +good-faith hacking and malicious attack, we ask that you: + +- Follow this policy and any other relevant agreements. +- Report discovered vulnerabilities promptly. +- Avoid violating privacy, disrupting systems, destroying data, or harming user experience. +- Use only specified reporting method and official communication channels. +- Keep vulnerability details confidential until fixed, as per the Disclosure Policy. +- Test only in-scope systems and respect out-of-scope + systems and activities. +- Limit data access when demonstrating a Proof of Concept, and immediately report any accidental access to sensitive data. +- Interact only with test accounts you own or have explicit permission to use. +- Do not engage in extortion. + +### Safe Harbor + +When conducting vulnerability research in full compliance with this policy and +all applicable laws, we consider this research to be: + +- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) + (and/or similar state laws), and we will not initiate or support + legal action against you for accidental, good faith + violations of this policy; +- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring +a claim against you for circumvention of technology controls; +- Exempt from restrictions in our Terms & Conditions that would interfere with +conducting security research, and we waive those restrictions on a limited basis +for work done under this policy; and +- Lawful, helpful to the overall security of the Internet, and +conducted in good faith. + +If you're unsure whether your research is consistent with this policy, please report through our official channels before proceeding.