From 187830d7628880372aa2132c0eb8b143fc2547d4 Mon Sep 17 00:00:00 2001 From: TomSweeneyRedHat Date: Wed, 15 Apr 2020 12:11:18 -0400 Subject: [PATCH] Add security policy Add a security policy to the containers common repo that will then be pointed to by the other containers/* projects. This was based off of the one in crun by @giuseppe, information in libpod, and heavily from [Kubernetes](https://kubernetes.io/docs/reference/issues-security/security/) Signed-off-by: TomSweeneyRedHat --- common/SECURITY.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 common/SECURITY.md diff --git a/common/SECURITY.md b/common/SECURITY.md new file mode 100644 index 0000000000..7a781e6fba --- /dev/null +++ b/common/SECURITY.md @@ -0,0 +1,33 @@ +# Containers Projects Security and Disclosure Information + + * [Reporting a Vulnerability](#Reporting-a-Vulnerability) + * [Security Announcements](#Security-Announcements) + * [Security Vulnerability Response](#Security-Vulnerability-Response) + +## Reporting a Vulnerability + +If you think you've identified a security issue in a Containers project, +please DO NOT report the issue publicly via the Github issue tracker, +mailing list, or IRC. Instead, send an email with as many details as +possible to [security@lists.podman.io](mailto:security@lists.podman.io?subject=Security%20Vunerablity%20Report). +This is a private mailing list for the core maintainers. + +Please do **not** create a public issue. + +## Security Announcements + +The podman@lists.podman.io email list is used for messages about +security and major API announcements. You can join the list [here](https://lists.podman.io/admin/lists/podman.lists.podman.io/) +or by sending an email to [podman-join@lists.podman.io](podman-join@lists.podman.io?subject=subscribe) +with the word "subscribe" in the subject. + +## Security Vulnerability Response + +Each report is acknowledged and analyzed by the core maintainers within 3 working days. + +Any vulnerability information shared with core maintainers stays within a Containers project +and will not be disseminated to other projects unless it is necessary to get the issue fixed. + +As the security issue moves from triage, to an identified fix, to release planning, the core +maintainers will keep the reporter updated. +