Add security policy [skip ci]
Sayan
3 years ago
committed by
GitHub
parent
891f9a2e06
commit
5783d5a8ab
@ -0,0 +1,63 @@
|
||||
# Security Policy
|
||||
|
||||
**Last updated:** August 3, 2021
|
||||
|
||||
## Introduction
|
||||
|
||||
In the interest and commitment to the security of our users, the Skytable team has issued this document, titled the 'Security Policy'.
|
||||
Any vulnerabilities and/or exposures directly/indirectly involving the use of Skytable must be reported in compliance with this document.
|
||||
|
||||
## Reporting vulnerabilities
|
||||
|
||||
1. First prepare an [MCVE](https://stackoverflow.com/help/minimal-reproducible-example) to exploit the vulnerability
|
||||
2. Move your MCVE into a new directory and create a file `EXPLOIT.txt`
|
||||
3. Within the `EXPLOIT.txt` file, describe:
|
||||
- What version/tag/commit was exploited
|
||||
- A description of the exploit and its impact
|
||||
- How to run your MCVE (incl. required frameworks/dependencies/tools/et cetera)
|
||||
4. Also at the end of the `EXPLOIT.txt` file, write an affirmation:
|
||||
```
|
||||
I, <NAME> affirm that all information provided here is correct to my knowledge and I will comply and coordinate with the team as required. I also
|
||||
acknowledge that I am making this submission as a voluntary effort.
|
||||
```
|
||||
replacing `<NAME>` with your real name.
|
||||
5. Compress your files into a ZIP archive
|
||||
6. Encrypt the ZIP archive using [our PGP public key linked below](#pgp).
|
||||
7. Email the archive to: [security@skytable.io](mailto:security@skytable.io). DO NOT include any information in the email body/subject because
|
||||
e-mail is insecure. Set the subject line to `[SECURITY EXPLOIT] [DD-MM-YYYY]`.
|
||||
|
||||
## Credits
|
||||
|
||||
You will be acknowledged in the report for your discovery of the exploit
|
||||
and will also be mentioned in the CVE report filed (if any).
|
||||
|
||||
## Timeline
|
||||
|
||||
1. You/we discover and report a vulnerability
|
||||
2. The team acknowledges it (usually through an e-mail) and creates an internal ticket within 24 hours
|
||||
3. The team coordinates with itself/you to prepare a hotfix
|
||||
4. The hotfix is released and the time of release is noted
|
||||
5. 48 hours after the hotfix has been released, the vulnerability is
|
||||
disclosed
|
||||
6. A CVE and/or a [Security Advisory](https://security.skytable.io) is issued and released to the public.
|
||||
|
||||
## Conditions
|
||||
|
||||
1. You may **not** disclose the vulnerability before the team releases a hotfix
|
||||
2. You agree that this is voluntary work
|
||||
|
||||
## Supported versions
|
||||
|
||||
The most recent 'stable channel' release (i.e not a pre-release as per Semver) receives a security hotfix and a patch will be released for older versions
|
||||
who need to deploy a fix.
|
||||
|
||||
## PGP
|
||||
|
||||
Our PGP public key can be found [here](https://keys.openpgp.org/vks/v1/by-fingerprint/6A34A114D40D7918906AEA0111855CAA2A2EA924).
|
||||
To encrypt your ZIP file:
|
||||
```sh
|
||||
wget https://keys.openpgp.org/vks/v1/by-fingerprint/6A34A114D40D7918906AEA0111855CAA2A2EA924 -O skytable.pgp # download the key
|
||||
gpg --import skytable.pgp # import the key
|
||||
gpg --output <ZIPFILE>.encrypted.zip --encrypt <ZIPFILE>.zip --recipient nandansayan@outlook.com # encrypt the archive
|
||||
```
|
||||
Replace `<ZIPFILE>` with the name of your ZIP file. The output file will be `<ZIPFILE>.encrypted.zip` and this is what you have to send to the provided e-mail
|
||||
Loading…
Reference in New Issue