From 8c220ac824cceec1b0fb1066c0a11fa98eac1116 Mon Sep 17 00:00:00 2001 From: Sergey Kupletsky Date: Thu, 19 Sep 2024 11:26:34 +0200 Subject: [PATCH] chore: set up a security policy --- SECURITY.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..52ea138 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,49 @@ +# Security Policy + +## Supported Versions + +We actively maintain and support the following versions of the project: + +| Version | Supported | +|-----------|--------------------| +| `1.x.x` | :white_check_mark: | +| `< 1.0.0` | :x: | + +Please make sure to update to the latest version to ensure you're using the most secure version of our software. + +## Reporting a Vulnerability + +If you find a vulnerability in our project, please report a security issue, please use the GitHub Security Advisory +["Report a Vulnerability"](https://github.com/zavoloklom/docker-compose-linter/security/advisories/new) tab. + +Include as much information as possible about the vulnerability: + +- A detailed description of the vulnerability. +- Steps to reproduce the issue. +- Potential impact of the vulnerability (e.g., data leak, privilege escalation). +- Any potential fixes or mitigation steps you've found. + +We aim to respond to security reports within 48 hours and provide a timeline for addressing the issue within a week. + +Once the issue is resolved, we will provide an acknowledgment in the release notes (unless you prefer to remain +anonymous). + +## Security Best Practices + +To help ensure the security of your usage of this project, we recommend the following: + +- Always use the latest version of the software. +- Avoid using the `latest` tag when pulling images. Instead, specify exact versions. +- Regularly audit dependencies for security vulnerabilities. +- Follow the principle of least privilege when configuring access. + +## Responsible Disclosure Policy + +We follow a responsible disclosure policy to ensure that security vulnerabilities are handled appropriately. We ask that +you: + +- Privately notify us of the issue before making any public disclosure. +- Allow a reasonable amount of time for us to address the vulnerability before you disclose it publicly. + +We appreciate your contributions to making our project more secure. Thank you for working with us to protect the +community.