Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs:feat - Security Policies #172

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs:feat - Security Policies #172

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# **Security Policies**

Zup's Open Source projects adopt recommendations from the **OpenSSF Security Scorecards** and the **OpenSSF Best Practices Badge** program. Our projects must have a public policy for security vulnerabilities disclosure.

## **Supported versions**

|Version |Supported |
|--- |--- |
|Latest branch version |Yes |
|Other versions |No |

### **Private Disclosure Process of Vulnerabilities**

Zup's Open Source Engineering team and its product communities care about reported security vulnerabilities.

Our community request that every suspected vulnerability are disclosed privately and responsibly.
If you find a vulnerability or even a possible one, follow the instructions:

**1.** Send us an e-mail to **secure.opensource@zup.com.br**. You need to add the information below:

- Type of vulnerability (for example Buffer Overflow, SQL Injection, Cross-Site Scripting, etc.).
- Full paths of the source files related to the vulnerability manifestation.
- The location of the affected source code (tag/branch/commit or direct URL).
- Step-by-step instructions to reproduce the problem and you can also add any special configuration required to it.
- Proof-of-concept or exploit code (if possible).
- The impact of the problem, including how an attacker might exploit the vulnerability.

**2.** The **Horusec** team will acknowledge your e-mail and they will send you a more detailed response indicating the next steps to handle the vulnerability you have reported.

**3.** The **Horusec** team will keep you informed about the progress of the fix and its public disclosure. They may ask you for additional information.

### **Public Disclosure Process of Vulnerabilities**

If you become aware of a publicly disclosed vulnerability, please IMMEDIATELY send an e-mail to secure.opensource@zup.com.br, informing the **Horusec** team about it so they can address it via analysis, fix, new versioning, and release.

Whenever is possible, the **Horusec** team may request the person who made the vulnerability's public disclosure to address it through a private process, for example, if details about exploiting the flaw are not available yet.

### **Disclosure Policy**

When the **Horusec** team receives a vulnerability report, a team member is assigned as a primary handler. This person will contact the product's Tech Lead to coordinate the bug fix and new fixed version release process, see the steps of this process below:

**Step 1.** Confirm the issue and determine if the supported version is affected;

**Step 2.** Audit code to find similar issues;

**Step 3.** Prepare fixes for the supported version. These fixes will be released as soon as possible.

### **Community**

If you have any suggestions on how we can improve this process, please submit a pull request and contribute to the project too!