swift-server/RediStack
1
0
Fork 0
mirror of https://github.com/swift-server/RediStack.git synced 2026-05-03 07:32:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

[Docs] Add security policy

Browse Source
This commit is contained in:
Nathan Harris
2021-06-01 13:59:43 -07:00
parent 3ca471b226
commit 2cc63ec8f2
2 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+6
View File
@@ -85,6 +85,12 @@ For bugs or feature requests, file a new [issue](https://gitlab.com/mordil/RediS
For all other support requests, please email [support@redistack.info](mailto:support@redistack.info).
## Security Vulnerabilities
If you think you have found a security flaw in the library, please report it following this project's [Security Policy](https://gitlab.com/Mordil/RediStack/blob/master/SECURITY.md).
Project contributors will treat your report as top priority.
## Changelog
[SemVer](https://semver.org/) changes are documented for each release on the [releases page](https://gitlab.com/Mordil/RediStack/-/releases).
SECURITY.md
+35
View File
@@ -0,0 +1,35 @@
# Security Policy
Security is the top priority for this library and any report will be treated as urgent.
After sending a report, you should expect a response within **7 calendar days**. If you have not, please file a secondary report with the SSWG using [sswg-security-reports@forums.swift.org](mailto:sswg-security-reports@forums.swift.org).
Once a report has been received, and determined to be a valid issue, a fix should be released no later than **14 calendar days** from the date it was determined as valid.
After a fix has been implemented, a [CVE](https://cve.mitre.org/index.html) request will be filed with GitLab and issued according to [GitLab's CVE policies](https://about.gitlab.com/security/cve/).
Once the fix has been released, the original report may become public.
## Reporting Issues
If you have discovered a vulnerability in the project, please send your report directly to [support@redistack.info](mailto:support@redistack.info)
> Please prefix your subject line with `[SECURITY]`
These reports are immediately filed as confidential and only you and those with [report access](#report-access) will see any conversation from your initial report.
Example:
```
To: support@redistack.info
From: reporter@email.com
Subject: [SECURITY] DDOS Potential with PubSub
Body:
The current way that PubSub is implemented leaves the opportunity for a bad actor to cause a denial-of-service by...
```
> For tips on writing your vulnerability reports, refer to [How to Write a Better Vulnerability Report](https://medium.com/swlh/how-to-write-a-better-vulnerability-report-20163ab913fb), by Vickie Li
## Report Access
All [project members](https://gitlab.com/mordil/redistack/-/project_members), which includes [SSWG](https://swift.org/sswg/) representatives, are able to view confidential issues reported by following this security policy.