Skip to content
This repository has been archived by the owner on Dec 11, 2024. It is now read-only.

added security.md #196

Merged
merged 1 commit into from
Jul 18, 2024
Merged

added security.md #196

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Security

This C2PA open-source library is maintained in partnership with Adobe. At this time, Adobe is taking point on accepting security reports through its HackerOne portal and public bug bounty program.

## Reporting a vulnerability

Please do not create a public GitHub issue for any suspected security vulnerabilities. Instead, please file an issue through [Adobe's HackerOne page](https://hackerone.com/adobe?type=team). If for some reason this is not possible, reach out to cai-security@adobe.com.


## Vulnerability SLAs

Once we receive an actionable vulnerability (meaning there is an available patch, or a code fix is required), we will acknowledge the vulnerability within 24 hours. Our target SLAs for resolution are:

1. 72 hours for vulnerabilities with a CVSS score of 9.0-10.0
2. 2 weeks for vulnerabilities with a CVSS score of 7.0-8.9

Any vulnerability with a score below 6.9 will be resolved when possible.


## C2PA Vulnerabilities

This library is not meant to address any potential vulnerabilities within the C2PA specification itself. It is only an implementation of the spec as written. Any suspected vulnerabilities within the spec can be reported [here](https://github.com/c2pa-org/specifications/issues).
Loading