devicon icon indicating copy to clipboard operation
devicon copied to clipboard
verified publisher icon devicons

[OTHER] Add a security policy

Open Panquesito7 opened this issue 2 years ago • 1 comments

I have searched through the issues and didn't find my problem.

  • [X] Confirm

What would you like to share?

We should add a security policy to properly report vulnerabilities in case there are any in our code. CC: @devicons/devicon__reviewers.

Additional information

No response

Panquesito7 avatar Feb 02 '24 23:02 Panquesito7

Hey @Panquesito7, May I write a Security_Vulnerability_Reporting_Policy.md ?

It could include the following topics (Let me know, anything to include or exclude):

  1. Introduction:

    • Purpose of the policy.
    • Importance of reporting vulnerabilities responsibly.

  2. Reporting Process:

    • How and where to report vulnerabilities (email, issue tracker, etc.).
    • Contact information for reporting vulnerabilities.
    • Response time expectations.

  3. Information Required:

    • Details to include in the vulnerability report (description, impact, steps to reproduce, etc.).
    • Request for proof-of-concept code or scripts (if applicable).
    • Request for contact information for further communication (optional).

  4. Encryption:

    • Instructions for encrypting sensitive vulnerability reports (if applicable).
    • Provide a link to your organization's PGP public key.

  5. Responsiveness:

    • Commitment to acknowledging receipt of vulnerability reports.
    • Timelines for assessing and addressing reported vulnerabilities.
    • Communication protocol for providing updates on the status of reported vulnerabilities.

  6. Public Disclosure:

    • Coordination process for determining the timing of public disclosure.
    • Commitment to providing users with sufficient time to update systems before public disclosure.

  7. Scope:

    • Clarification of what aspects of the project the policy covers (code, documentation, dependencies, configurations, etc.).

  8. Responsible Disclosure:

    • Encouragement for responsible disclosure of security vulnerabilities.
    • Commitment to acknowledging and addressing valid vulnerability reports.

  9. Acknowledgment:

    • Expression of gratitude to security researchers and contributors who report vulnerabilities.

  10. Policy Maintenance:

    • Commitment to regularly reviewing and updating the policy as necessary.
    • Notification process for users in case of policy updates.

  11. Legal Disclaimer (if applicable):

    • Clarification of legal implications related to vulnerability reporting and disclosure.
    • Disclaimer of liability for issues arising from vulnerability reporting and disclosure.

AnshSinghSonkhia avatar Feb 07 '24 11:02 AnshSinghSonkhia