From a73bed0eeeaae8053fcb90f2a72ffde15826d722 Mon Sep 17 00:00:00 2001 From: Kamil Aronowski Date: Wed, 3 Dec 2025 15:35:17 +0100 Subject: [PATCH] security.md: expand on reporting issues with responsible disclosures Signed-off-by: Kamil Aronowski --- docs/security.md | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/docs/security.md b/docs/security.md index 12fbc326..b3bae2b8 100644 --- a/docs/security.md +++ b/docs/security.md @@ -10,9 +10,28 @@ you can demonstrate an actual security vulnerability or provide us with reasonable steps we could follow to verify your claims. -If you’ve discovered a security issue affecting Dasharo, please send an -encrypted (using [Dasharo security team PGP key][sec-key] e-mail to this -address: `security@dasharo.com`. Please not that unencrypted e-mails sent to -this address may be ignored. +If you've discovered a security issue affecting Dasharo, either directly or +indirectly (e.g., the issue affects Dasharo Tools Suite, which is commonly used +to maintain Dasharo installation and updates), then we would be more than happy +to hear from you! We promise to take all reported issues seriously. If our +investigation confirms that an issue affects Dasharo, we will patch it within a +reasonable time and release a public Dasharo Security Bulletin (DSB) that +describes the issue, discusses the potential impact of the vulnerability, +references applicable patches or workarounds, and credits the discoverer. +Please use the [Dasharo Security Team PGP key][sec-key] to encrypt your email +to this address: -[sec-key]: https://github.com/3mdeb/3mdeb-secpack/tree/master/keys/security-team/dasharo-security-team-encryption-key.asc +security at dasharo dot com + +This key is signed by the [3mdeb Master Key][master-key]. + +When reporting a sensitive vulnerability not yet publicly known, You agree not +to disclose such details publicly or to any third party other than a relevant +CSIRT or ENISA until 3mdeb has had a reasonable period (typically expected to +be up to 90 days, consistent with industry practices) to investigate, +remediate, and coordinate disclosure. This allows for responsible handling of +security issues while acknowledging that the general development process for +non-critical aspects is public. + +[sec-key]: https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/refs/heads/master/keys/security-team/dasharo-security-team-encryption-key.asc +[master-key]: https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/refs/heads/master/keys/master-key/3mdeb-master-key.asc