Skip to content

Latest commit

 

History

History
41 lines (27 loc) · 2.78 KB

SECURITY.md

File metadata and controls

41 lines (27 loc) · 2.78 KB

Vulnerability Disclosure Process for Curiefense

The Curiefense maintainers are committed to protecting the security and integrity of this project.

Submitting a vulnerability you’ve found

Information you submit under this process is only used to mitigate or remediate vulnerabilities.

If you believe you have found a security vulnerability, notify us as soon as possible after you discover it. Please submit your report to us by email at [email protected]. You can submit reports anonymously. We do not support PGP-encrypted emails at this time.

What we would like to see from you

In your report:

  • Write in English.
  • Describe the vulnerability, where it was discovered, and the potential impact of exploitation.
  • Offer a detailed description of the steps to reproduce the vulnerability (proof of concept scripts or screenshots are helpful). These should be benign, non-destructive, proofs of concept so we can triage your report quickly and accurately.
  • Do not submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers, or a high volume of low-quality reports (for example, from an automated scanner).
  • Do not communicate any vulnerabilities or associated details other than by means described in the published SECURITY.md file.
  • Do not expect or demand financial compensation for your research and testing to disclose vulnerabilities.

What to expect

When you choose to share your contact information with us, we commit to communicating with you as openly and as quickly as possible.

  • Within 3 business days, we will acknowledge that your report has been received.
  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
  • We will prioritize fixing the vulnerability by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You’re welcome to ask the status but please no more than once every 14 days. That way, our teams can focus on the remediation.
  • We will do our best to maintain an open dialogue with you to discuss issues and will work with you to determine whether and how the flaw reported will be made public.
  • We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
  • Add your Name/Handle on curiefense.io




Adapted from COVID Alert documentation