You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
64 lines
3.1 KiB
Markdown
64 lines
3.1 KiB
Markdown
# Security Policy
|
|
|
|
**Last updated:** August 3, 2021
|
|
|
|
## Introduction
|
|
|
|
In the interest and commitment to the security of our users, the Skytable team has issued this document, titled the 'Security Policy'.
|
|
Any vulnerabilities and/or exposures directly/indirectly involving the use of Skytable must be reported in compliance with this document.
|
|
|
|
## Reporting vulnerabilities
|
|
|
|
1. First prepare an [MCVE](https://stackoverflow.com/help/minimal-reproducible-example) to exploit the vulnerability
|
|
2. Move your MCVE into a new directory and create a file `EXPLOIT.txt`
|
|
3. Within the `EXPLOIT.txt` file, describe:
|
|
- What version/tag/commit was exploited
|
|
- A description of the exploit and its impact
|
|
- How to run your MCVE (incl. required frameworks/dependencies/tools/et cetera)
|
|
4. Also at the end of the `EXPLOIT.txt` file, write an affirmation:
|
|
```
|
|
I, <NAME> affirm that all information provided here is correct to my knowledge and I will comply and coordinate with the team as required. I also
|
|
acknowledge that I am making this submission as a voluntary effort.
|
|
```
|
|
replacing `<NAME>` with your real name.
|
|
5. Compress your files into a ZIP archive
|
|
6. Encrypt the ZIP archive using [our PGP public key linked below](#pgp).
|
|
7. Email the archive to: [security@skytable.io](mailto:security@skytable.io). DO NOT include any information in the email body/subject because
|
|
e-mail is insecure. Set the subject line to `[SECURITY EXPLOIT] [DD-MM-YYYY]`.
|
|
|
|
## Credits
|
|
|
|
You will be acknowledged in the report for your discovery of the exploit
|
|
and will also be mentioned in the CVE report filed (if any).
|
|
|
|
## Timeline
|
|
|
|
1. You/we discover and report a vulnerability
|
|
2. The team acknowledges it (usually through an e-mail) and creates an internal ticket within 24 hours
|
|
3. The team coordinates with itself/you to prepare a hotfix
|
|
4. The hotfix is released and the time of release is noted
|
|
5. 48 hours after the hotfix has been released, the vulnerability is
|
|
disclosed
|
|
6. A CVE and/or a [Security Advisory](https://security.skytable.io) is issued and released to the public.
|
|
|
|
## Conditions
|
|
|
|
1. You may **not** disclose the vulnerability before the team releases a hotfix
|
|
2. You agree that this is voluntary work
|
|
|
|
## Supported versions
|
|
|
|
The most recent 'stable channel' release (i.e not a pre-release as per Semver) receives a security hotfix and a patch will be released for older versions
|
|
who need to deploy a fix.
|
|
|
|
## PGP
|
|
|
|
Our PGP public key can be found [here](https://keys.openpgp.org/vks/v1/by-fingerprint/6A34A114D40D7918906AEA0111855CAA2A2EA924).
|
|
To encrypt your ZIP file:
|
|
```sh
|
|
wget https://keys.openpgp.org/vks/v1/by-fingerprint/6A34A114D40D7918906AEA0111855CAA2A2EA924 -O skytable.pgp # download the key
|
|
gpg --import skytable.pgp # import the key
|
|
gpg --output <ZIPFILE>.encrypted.zip --encrypt <ZIPFILE>.zip --recipient nandansayan@outlook.com # encrypt the archive
|
|
```
|
|
Replace `<ZIPFILE>` with the name of your ZIP file. The output file will be `<ZIPFILE>.encrypted.zip` and this is what you have to send to the provided e-mail
|