diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..f6667abd2 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,81 @@ +# GitHub Security Policy + +Last Updated: [12-09-2023] + +## Table of Contents + +1. [Scope](#scope) +2. [Reporting Security Issues](#reporting-security-issues) +3. [Responsible Disclosure](#responsible-disclosure) +4. [Vulnerability Handling](#vulnerability-handling) +5. [Security Best Practices](#security-best-practices) +6. [Access Control](#access-control) +7. [Incident Response](#incident-response) +8. [Security Training and Awareness](#security-training-and-awareness) +9. [Review and Updates](#review-and-updates) + +## 1. Scope + +This GitHub Security Policy outlines security guidelines, best practices, and procedures for Zimmerman when using GitHub repositories, organizations, and related services. This policy applies to all employees, contractors, and collaborators working with GitHub resources associated with Zimmerman. + +## 2. Reporting Security Issues + +If you discover a security vulnerability or any potential security issue related to GitHub repositories or services used by Zimmerman, please report it immediately to our security team via email at [github@zimmerman.team]. You can also use our private GitHub repository for confidential reporting. + +## 3. Responsible Disclosure + +Zimmerman is committed to responsible disclosure. We appreciate the efforts of security researchers and community members who help us improve our security. If you report a security issue to us, we will: + +- Acknowledge your report within [72 hours]. +- Work with you to understand and validate the issue. +- Keep you informed about our progress and actions. +- Credit your responsible disclosure in our security advisories if desired. + +## 4. Vulnerability Handling + +### 4.1 Vulnerability Classification + +We categorize vulnerabilities according to severity and impact. The following classifications are used: + +- **Critical**: Vulnerabilities that pose a severe risk to our systems, data, or users. +- **High**: Vulnerabilities with a significant impact but less severe than critical vulnerabilities. +- **Medium**: Vulnerabilities that have a moderate impact and may require attention. +- **Low**: Vulnerabilities with minimal impact but still warranting attention. + +### 4.2 Vulnerability Remediation + +Our security team will assess reported vulnerabilities, and depending on their severity, take appropriate action, which may include: + +- Patching or fixing the vulnerability. +- Communicating the issue to relevant stakeholders. +- Monitoring for potential exploitation. +- Publishing a security advisory. + +## 5. Security Best Practices + +To maintain the security of our GitHub repositories, we follow these best practices: + +- Regularly update and patch software components. +- Implement strong access controls. +- Enable two-factor authentication (2FA) for all GitHub accounts. +- Scan code for vulnerabilities using static analysis tools. +- Encrypt sensitive data and communication. +- Educate all personnel about security awareness. + +## 6. Access Control + +Access to GitHub repositories and organizations is controlled through role-based access control (RBAC). Permissions are granted based on job responsibilities and the principle of least privilege. Only authorized personnel should have access to sensitive repositories and organization settings. + +## 7. Incident Response + +In the event of a security incident related to GitHub repositories, Zimmerman has an incident response plan in place. All incidents are documented, investigated, and reported to the relevant authorities if necessary. All affected parties will be notified promptly. + +## 8. Security Training and Awareness + +All employees, contractors, and collaborators are required to undergo security training and adhere to security policies. Security awareness programs are conducted periodically to ensure that all personnel are informed about current threats and best practices. + +## 9. Review and Updates + +This GitHub Security Policy will be reviewed periodically and updated as needed to adapt to changing security threats and organizational requirements. It is the responsibility of Zimmerman to ensure that all members are aware of and adhere to this policy. + +