mirror of
https://github.com/Dasharo/docs.git
synced 2026-06-13 10:16:57 -07:00
Merge pull request #1268 from Dasharo/gh-sync-security-md
security.md: expand on reporting issues with responsible disclosures
This commit is contained in:
+24
-5
@@ -10,9 +10,28 @@
|
||||
you can demonstrate an actual security vulnerability or provide us with
|
||||
reasonable steps we could follow to verify your claims.
|
||||
|
||||
If you’ve discovered a security issue affecting Dasharo, please send an
|
||||
encrypted (using [Dasharo security team PGP key][sec-key] e-mail to this
|
||||
address: `security@dasharo.com`. Please not that unencrypted e-mails sent to
|
||||
this address may be ignored.
|
||||
If you've discovered a security issue affecting Dasharo, either directly or
|
||||
indirectly (e.g., the issue affects Dasharo Tools Suite, which is commonly used
|
||||
to maintain Dasharo installation and updates), then we would be more than happy
|
||||
to hear from you! We promise to take all reported issues seriously. If our
|
||||
investigation confirms that an issue affects Dasharo, we will patch it within a
|
||||
reasonable time and release a public Dasharo Security Bulletin (DSB) that
|
||||
describes the issue, discusses the potential impact of the vulnerability,
|
||||
references applicable patches or workarounds, and credits the discoverer.
|
||||
Please use the [Dasharo Security Team PGP key][sec-key] to encrypt your email
|
||||
to this address:
|
||||
|
||||
[sec-key]: https://github.com/3mdeb/3mdeb-secpack/tree/master/keys/security-team/dasharo-security-team-encryption-key.asc
|
||||
security at dasharo dot com
|
||||
|
||||
This key is signed by the [3mdeb Master Key][master-key].
|
||||
|
||||
When reporting a sensitive vulnerability not yet publicly known, You agree not
|
||||
to disclose such details publicly or to any third party other than a relevant
|
||||
CSIRT or ENISA until 3mdeb has had a reasonable period (typically expected to
|
||||
be up to 90 days, consistent with industry practices) to investigate,
|
||||
remediate, and coordinate disclosure. This allows for responsible handling of
|
||||
security issues while acknowledging that the general development process for
|
||||
non-critical aspects is public.
|
||||
|
||||
[sec-key]: https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/refs/heads/master/keys/security-team/dasharo-security-team-encryption-key.asc
|
||||
[master-key]: https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/refs/heads/master/keys/master-key/3mdeb-master-key.asc
|
||||
|
||||
Reference in New Issue
Block a user