From d59e50fff0a52f269ce4b9b25ca60bf2c4b942b5 Mon Sep 17 00:00:00 2001 From: Scott Hurd Date: Fri, 6 Sep 2024 13:39:26 -0700 Subject: [PATCH 1/4] Init SECURITY.md --- SECURITY.md | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..057cc0f9b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,89 @@ +# Security Policy + +## Supported Versions + +Unless otherwise specified, we recommend to only use the most recent minor +version release. + +## Reporting a Vulnerability + +**Please do not file a public ticket** mentioning the vulnerability. + +To disclose a vulnerability, please submit a `Security Advisory` via the +`Security` tab on the impacted repository. + +If a repository doesn't have the proper security reporting set up, please email +`security@astria.org` to report the vulnerability. + +## Disclosure Policy + +Please first submit the vulnerability you discovered using the instructions in +[Reporting a Vulnerability](#reporting-a-vulnerability). Once you have done so, +you may share the details with third parties after either of the following, +whichever is sooner: + +- the vulnerability has been fixed and the Astria security team has permitted disclosure; or +- 120 days have passed since your submission + +### Scope + +The scope of this security policy applies to the code repositories under the +[@astriaorg](https://github.com/astriaorg) Github org and any related +infrastructure. + +### Rewards + +Astria does not have a formal reward policy. Researchers should not expect compensation for discovering vulnerabilities. However, we are grateful for all legitimate vulnerability discoveries and will acknowledge researchers after a fix has been widely deployed. + +### Official Communication Channel + +All security updates will be communicated via the security advisories in the +corresponding code repository that the vulnerability was reported. + +### Feedback on this Policy + +If you have suggestions for improving this policy, please submit a pull request. + +### What to Expect from Us + +When working with us according to this policy, you can expect us to: + +- Extend Safe Harbor protection for your vulnerability research related to this policy; +- Work with you to understand and validate your report, including providing a +timely initial response to the submission; +- Work to remediate discovered vulnerabilities in a timely manner; and +- Recognize your contribution if you're the first to report a unique vulnerability that triggers a code or configuration change. + +### Ground Rules for Researchers + +To encourage vulnerability research and to avoid any confusion between +good-faith hacking and malicious attack, we ask that you: + +- Follow this policy and any other relevant agreements. +- Report discovered vulnerabilities promptly. +- Avoid violating privacy, disrupting systems, destroying data, or harming user experience. +- Use only the specified reporting method and official communication channels. +- Keep vulnerability details confidential until fixed, as per the Disclosure Policy. +- Test only in-scope systems and respect out-of-scope systems and activities. +- Limit data access when demonstrating a Proof of Concept, and immediately report any accidental access to sensitive data. +- Interact only with test accounts you own or have explicit permission to use. +- Do not engage in extortion. + + +### Safe Harbor + +When conducting vulnerability research in full compliance with this policy and +all applicable laws, we consider this research to be: + +- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or +similar state laws), and we will not initiate or support legal action against +you for accidental, good faith violations of this policy; +- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring +a claim against you for circumvention of technology controls; +- Exempt from restrictions in our Terms & Conditions that would interfere with +conducting security research, and we waive those restrictions on a limited basis +for work done under this policy; and +- Lawful, helpful to the overall security of the Internet, and conducted in good +faith. + +If you're unsure whether your research is consistent with this policy, please report through our official channels before proceeding. From 4def1d6d635efb9bf3a58fb9c46b4e8e90e0e14c Mon Sep 17 00:00:00 2001 From: Scott Hurd Date: Fri, 6 Sep 2024 13:50:33 -0700 Subject: [PATCH 2/4] markdown-lint --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 057cc0f9b..6e406b62f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -22,7 +22,8 @@ Please first submit the vulnerability you discovered using the instructions in you may share the details with third parties after either of the following, whichever is sooner: -- the vulnerability has been fixed and the Astria security team has permitted disclosure; or +- the vulnerability has been fixed and the Astria security team has permitted + disclosure; or - 120 days have passed since your submission ### Scope @@ -69,7 +70,6 @@ good-faith hacking and malicious attack, we ask that you: - Interact only with test accounts you own or have explicit permission to use. - Do not engage in extortion. - ### Safe Harbor When conducting vulnerability research in full compliance with this policy and From 40bef6c56fd596ee4a700c57a465b82186a09611 Mon Sep 17 00:00:00 2001 From: Scott Hurd Date: Fri, 6 Sep 2024 13:54:56 -0700 Subject: [PATCH 3/4] strict_markdown_lint --- SECURITY.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 6e406b62f..95ce2d967 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -34,7 +34,10 @@ infrastructure. ### Rewards -Astria does not have a formal reward policy. Researchers should not expect compensation for discovering vulnerabilities. However, we are grateful for all legitimate vulnerability discoveries and will acknowledge researchers after a fix has been widely deployed. +Astria does not have a formal reward policy. +Researchers should not expect compensation for discovering vulnerabilities. +However, we are grateful for all legitimate vulnerability discoveries +and will acknowledge researchers after a fix has been widely deployed. ### Official Communication Channel @@ -50,8 +53,8 @@ If you have suggestions for improving this policy, please submit a pull request. When working with us according to this policy, you can expect us to: - Extend Safe Harbor protection for your vulnerability research related to this policy; -- Work with you to understand and validate your report, including providing a -timely initial response to the submission; +- Work with you to understand and validate your report, + including providing a timely initial response to the submission; - Work to remediate discovered vulnerabilities in a timely manner; and - Recognize your contribution if you're the first to report a unique vulnerability that triggers a code or configuration change. @@ -63,7 +66,7 @@ good-faith hacking and malicious attack, we ask that you: - Follow this policy and any other relevant agreements. - Report discovered vulnerabilities promptly. - Avoid violating privacy, disrupting systems, destroying data, or harming user experience. -- Use only the specified reporting method and official communication channels. +- Use only specified reporting method and official communication channels. - Keep vulnerability details confidential until fixed, as per the Disclosure Policy. - Test only in-scope systems and respect out-of-scope systems and activities. - Limit data access when demonstrating a Proof of Concept, and immediately report any accidental access to sensitive data. @@ -75,9 +78,10 @@ good-faith hacking and malicious attack, we ask that you: When conducting vulnerability research in full compliance with this policy and all applicable laws, we consider this research to be: -- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or -similar state laws), and we will not initiate or support legal action against -you for accidental, good faith violations of this policy; +- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) + (and/or similar state laws), and we will not initiate or support + legal action against you for accidental, good faith + violations of this policy; - Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls; - Exempt from restrictions in our Terms & Conditions that would interfere with From 557e8a8a48945fb2659c0fd4965f11d7841bc33e Mon Sep 17 00:00:00 2001 From: Scott Hurd Date: Fri, 6 Sep 2024 13:57:24 -0700 Subject: [PATCH 4/4] md013 --- SECURITY.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 95ce2d967..90ef9bf13 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -56,7 +56,8 @@ When working with us according to this policy, you can expect us to: - Work with you to understand and validate your report, including providing a timely initial response to the submission; - Work to remediate discovered vulnerabilities in a timely manner; and -- Recognize your contribution if you're the first to report a unique vulnerability that triggers a code or configuration change. +- Recognize your contribution if you're the first to report + a unique vulnerability that triggers a code or configuration change. ### Ground Rules for Researchers @@ -68,7 +69,8 @@ good-faith hacking and malicious attack, we ask that you: - Avoid violating privacy, disrupting systems, destroying data, or harming user experience. - Use only specified reporting method and official communication channels. - Keep vulnerability details confidential until fixed, as per the Disclosure Policy. -- Test only in-scope systems and respect out-of-scope systems and activities. +- Test only in-scope systems and respect out-of-scope + systems and activities. - Limit data access when demonstrating a Proof of Concept, and immediately report any accidental access to sensitive data. - Interact only with test accounts you own or have explicit permission to use. - Do not engage in extortion. @@ -87,7 +89,7 @@ a claim against you for circumvention of technology controls; - Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and -- Lawful, helpful to the overall security of the Internet, and conducted in good -faith. +- Lawful, helpful to the overall security of the Internet, and +conducted in good faith. If you're unsure whether your research is consistent with this policy, please report through our official channels before proceeding.