From 013b1989db3f3a65b6ca0c881b6aabbb9332eaa6 Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Fri, 15 Nov 2019 14:53:07 +0100 Subject: [PATCH 1/8] Create SECURITY.md --- SECURITY.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..e36896b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,19 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 1.x.x | :white_check_mark: (note yet available) | +| 0.x.x | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From 151df41ae036008b8472ee97568a9489a1a73354 Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Fri, 15 Nov 2019 15:02:12 +0100 Subject: [PATCH 2/8] initial securtiy file --- SECURITY.md | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index e36896b..62b1cff 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,19 +1,26 @@ # Security Policy +At @caos we are extremely grateful for security aware people that disclose vulnerabilities to us and the Open Source Community. All reports are thoroughly investigated by our engineering team. + ## Supported Versions -Use this section to tell people about which versions of your project are -currently being supported with security updates. +After the initial Release the following version support will aplly | Version | Supported | | ------- | ------------------ | | 1.x.x | :white_check_mark: (note yet available) | | 0.x.x | :x: | -## Reporting a Vulnerability +## Reporting a vulnerability -Use this section to tell people how to report a vulnerability. +To file a incident, please disclose by email to security@caos.ch a list with the security details. -Tell them where to go, how often they can expect to get an update on a -reported vulnerability, what to expect if the vulnerability is accepted or -declined, etc. +At the moment GPG encryption is no yet supported, however you may sign your message at will. + +### When should I report a vulnerability? + +### When should I NOT report a vulnerability? + +## Security Vulnerability Response + +## Public Disclosure Timing From f73b1b2d7ab9110981efb80b3baca610a2903e70 Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Fri, 15 Nov 2019 15:07:36 +0100 Subject: [PATCH 3/8] minor text changes --- SECURITY.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 62b1cff..7727307 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -19,8 +19,16 @@ At the moment GPG encryption is no yet supported, however you may sign your mess ### When should I report a vulnerability? +* You think you discovered a ... + * ... potential security vulnerability in the SDK + * ... vulnerability in another project that this SDK bases on +* For projects with their own vulnerability reporting and disclosure process, please report it directly there + ### When should I NOT report a vulnerability? +* You need help applying security related updates +* Your issue is not security related + ## Security Vulnerability Response ## Public Disclosure Timing From e6729a0dba73702dcefc8a7ff071a2bcb9922ab3 Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Fri, 15 Nov 2019 15:30:02 +0100 Subject: [PATCH 4/8] some more text --- SECURITY.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 7727307..2ab2445 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,18 +17,24 @@ To file a incident, please disclose by email to security@caos.ch a list with the At the moment GPG encryption is no yet supported, however you may sign your message at will. -### When should I report a vulnerability? +### When should I report a vulnerability * You think you discovered a ... * ... potential security vulnerability in the SDK * ... vulnerability in another project that this SDK bases on * For projects with their own vulnerability reporting and disclosure process, please report it directly there -### When should I NOT report a vulnerability? +### When should I NOT report a vulnerability * You need help applying security related updates * Your issue is not security related ## Security Vulnerability Response -## Public Disclosure Timing +## Public Disclosure + +All accepted and mitigated vulnerabilitys will be published on the [Github Security Page](https://github.com/caos/oidc/security/advisories) + +### Timing + +We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknow nature of the discloures the time frame can range from 7 to 90 days. From ce1a54ad19ccfb829e6360555122f0f7b9cf20de Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Mon, 18 Nov 2019 15:50:04 +0100 Subject: [PATCH 5/8] small changes --- SECURITY.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 2ab2445..09cd1f9 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,6 @@ # Security Policy -At @caos we are extremely grateful for security aware people that disclose vulnerabilities to us and the Open Source Community. All reports are thoroughly investigated by our engineering team. +At @caos we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team. ## Supported Versions @@ -13,7 +13,7 @@ After the initial Release the following version support will aplly ## Reporting a vulnerability -To file a incident, please disclose by email to security@caos.ch a list with the security details. +To file a incident, please disclose by email to security@caos.ch with the security details. At the moment GPG encryption is no yet supported, however you may sign your message at will. @@ -31,10 +31,12 @@ At the moment GPG encryption is no yet supported, however you may sign your mess ## Security Vulnerability Response +TBD + ## Public Disclosure All accepted and mitigated vulnerabilitys will be published on the [Github Security Page](https://github.com/caos/oidc/security/advisories) ### Timing -We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknow nature of the discloures the time frame can range from 7 to 90 days. +We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days. \ No newline at end of file From eb5027ae51a921df763d2186171d96815b0a5250 Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Tue, 19 Nov 2019 08:18:19 +0100 Subject: [PATCH 6/8] Update SECURITY.md Co-Authored-By: livio-a --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 09cd1f9..0df2a81 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,6 @@ # Security Policy -At @caos we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team. +At caos we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team. ## Supported Versions @@ -39,4 +39,4 @@ All accepted and mitigated vulnerabilitys will be published on the [Github Secur ### Timing -We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days. \ No newline at end of file +We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the discloures the time frame can range from 7 to 90 days. From 4f50f011d58c8cc30d425b543eb3b0242850894a Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Tue, 19 Nov 2019 08:18:37 +0100 Subject: [PATCH 7/8] correct typo Co-Authored-By: livio-a --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 0df2a81..6d84309 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,7 +4,7 @@ At caos we are extremely grateful for security aware people that disclose vulner ## Supported Versions -After the initial Release the following version support will aplly +After the initial Release the following version support will apply | Version | Supported | | ------- | ------------------ | From 0e3a46bad95b08f83d14a9d61989131ba151467a Mon Sep 17 00:00:00 2001 From: Florian Forster Date: Tue, 19 Nov 2019 08:18:56 +0100 Subject: [PATCH 8/8] Update SECURITY.md Co-Authored-By: livio-a --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 6d84309..f7ecc88 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -17,7 +17,7 @@ To file a incident, please disclose by email to security@caos.ch with the securi At the moment GPG encryption is no yet supported, however you may sign your message at will. -### When should I report a vulnerability +### When should I report a vulnerability * You think you discovered a ... * ... potential security vulnerability in the SDK