gvsafronov
/
skytable
1
0
Fork 0
Code Pull Requests Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
next
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5783d5a8ab'
${ noResults }
skytable/SECURITY.md

3.1 KiB
Raw Blame History

Security Policy

Last updated: August 3, 2021

Introduction

In the interest and commitment to the security of our users, the Skytable team has issued this document, titled the 'Security Policy'. Any vulnerabilities and/or exposures directly/indirectly involving the use of Skytable must be reported in compliance with this document.

Reporting vulnerabilities

  1. First prepare an MCVE to exploit the vulnerability
  2. Move your MCVE into a new directory and create a file EXPLOIT.txt
  3. Within the EXPLOIT.txt file, describe:
    • What version/tag/commit was exploited
    • A description of the exploit and its impact
    • How to run your MCVE (incl. required frameworks/dependencies/tools/et cetera)
  4. Also at the end of the EXPLOIT.txt file, write an affirmation: 
    I, <NAME> affirm that all information provided here is correct to my knowledge and I will comply and coordinate with the team as required. I also
acknowledge that I am making this submission as a voluntary effort.
    replacing <NAME> with your real name.
  5. Compress your files into a ZIP archive
  6. Encrypt the ZIP archive using our PGP public key linked below.
  7. Email the archive to: security@skytable.io. DO NOT include any information in the email body/subject because e-mail is insecure. Set the subject line to [SECURITY EXPLOIT] [DD-MM-YYYY].

Credits

You will be acknowledged in the report for your discovery of the exploit and will also be mentioned in the CVE report filed (if any).

Timeline

  1. You/we discover and report a vulnerability
  2. The team acknowledges it (usually through an e-mail) and creates an internal ticket within 24 hours
  3. The team coordinates with itself/you to prepare a hotfix
  4. The hotfix is released and the time of release is noted
  5. 48 hours after the hotfix has been released, the vulnerability is disclosed
  6. A CVE and/or a Security Advisory is issued and released to the public.

Conditions

  1. You may not disclose the vulnerability before the team releases a hotfix
  2. You agree that this is voluntary work

Supported versions

The most recent 'stable channel' release (i.e not a pre-release as per Semver) receives a security hotfix and a patch will be released for older versions who need to deploy a fix.

PGP

Our PGP public key can be found here. To encrypt your ZIP file:

wget https://keys.openpgp.org/vks/v1/by-fingerprint/6A34A114D40D7918906AEA0111855CAA2A2EA924 -O skytable.pgp  # download the key
gpg --import skytable.pgp                                                                                     # import the key
gpg --output <ZIPFILE>.encrypted.zip --encrypt <ZIPFILE>.zip --recipient nandansayan@outlook.com              # encrypt the archive

Replace <ZIPFILE> with the name of your ZIP file. The output file will be <ZIPFILE>.encrypted.zip and this is what you have to send to the provided e-mail