litmuschaos
/
litmus
mirror of https://github.com/litmuschaos/litmus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

(chore)security: add security disclosure process for litmuschaos (#3213) 

Signed-off-by: ksatchit <karthik@chaosnative.com>
This commit is contained in:
Karthik Satchitanand 2021-09-24 08:35:29 +05:30 committed by GitHub
parent e2870d2d53
commit 4c7d87655f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
SECURITY.md Normal file
View File

@ -0,0 +1,45 @@
# SECURITY
This page borrows parts of its contents from https://kubernetes.io/security/
## Report a Vulnerability
We are extremely grateful for security researchers and users that report vulnerabilities to the LitmusChaos Open Source Community. All reports are thoroughly investigated by a set of community members.
To make a report, submit your vulnerability to all security contacts of LitmusChaos [listed below](#security-contacts). This allows triage and handling of the vulnerability with standardized response times.
### When Should I Report a Vulnerability?
- You think you discovered a potential security vulnerability in LitmusChaos
- You are unsure how a vulnerability affects LitmusChaos
- You think you discovered a vulnerability in another project that LitmusChaos depends on. For projects with their own vulnerability reporting and disclosure process, please report it directly there.
### When Should I NOT Report a Vulnerability?
- You need help tuning LitmusChaos components for security - please discuss this is in the various LitmusChaos community channels
- You need help applying security-related updates
- Your issue is not security-related
## Security Vulnerability Response
Each report is acknowledged and analyzed by the security contacts within 5 working days. This will set off the [Security Release Process](#process).
Any vulnerability information shared with the LitmusChaos security contacts stays within LitmusChaos project and will not be disseminated to other projects unless it is necessary to get the issue fixed.
## Public Disclosure Timing
A public disclosure date is negotiated by the LitmusChaos Security Committee and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it is already publicly known) to a few weeks. For a vulnerability with a straightforward mitigation, we expect report date to disclosure date to be on the order of 7 days. The LitmusChaos Security Committee holds the final say when setting a disclosure date.
## Process
If you find a security-related bug in LitmusChaos, we kindly ask you for responsible disclosure and for giving us appropriate time to react, analyze, and develop a fix to mitigate the found security vulnerability. The security contact will investigate the issue within 5 working days.
The team will react promptly to fix the security issue and its workaround/fix will be published on our release notes.
## Security Contacts
Defined below are the security contacts for this repository. In case you identify any security issue, please reach out to all of the security contacts.
- @ksatchit (karthik satchitanand, karthik@chaosnative.com)
- @rajdas98 (raj babu das, raj@chaosnative.com)