Merge pull request #1268 from Dasharo/gh-sync-security-md

security.md: expand on reporting issues with responsible disclosures
This commit is contained in:
Kamil Aronowski
2026-05-18 15:57:25 +02:00
committed by GitHub
+24 -5
View File
@@ -10,9 +10,28 @@
you can demonstrate an actual security vulnerability or provide us with
reasonable steps we could follow to verify your claims.
If youve discovered a security issue affecting Dasharo, please send an
encrypted (using [Dasharo security team PGP key][sec-key] e-mail to this
address: `security@dasharo.com`. Please not that unencrypted e-mails sent to
this address may be ignored.
If you've discovered a security issue affecting Dasharo, either directly or
indirectly (e.g., the issue affects Dasharo Tools Suite, which is commonly used
to maintain Dasharo installation and updates), then we would be more than happy
to hear from you! We promise to take all reported issues seriously. If our
investigation confirms that an issue affects Dasharo, we will patch it within a
reasonable time and release a public Dasharo Security Bulletin (DSB) that
describes the issue, discusses the potential impact of the vulnerability,
references applicable patches or workarounds, and credits the discoverer.
Please use the [Dasharo Security Team PGP key][sec-key] to encrypt your email
to this address:
[sec-key]: https://github.com/3mdeb/3mdeb-secpack/tree/master/keys/security-team/dasharo-security-team-encryption-key.asc
security at dasharo dot com
This key is signed by the [3mdeb Master Key][master-key].
When reporting a sensitive vulnerability not yet publicly known, You agree not
to disclose such details publicly or to any third party other than a relevant
CSIRT or ENISA until 3mdeb has had a reasonable period (typically expected to
be up to 90 days, consistent with industry practices) to investigate,
remediate, and coordinate disclosure. This allows for responsible handling of
security issues while acknowledging that the general development process for
non-critical aspects is public.
[sec-key]: https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/refs/heads/master/keys/security-team/dasharo-security-team-encryption-key.asc
[master-key]: https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/refs/heads/master/keys/master-key/3mdeb-master-key.asc