From 18773a321060531666c3c112c1f6aa24d3d6ee94 Mon Sep 17 00:00:00 2001 From: Rahul-4480 Date: Tue, 15 Oct 2024 12:17:32 +0530 Subject: [PATCH 1/8] doc: add security.md file --- SECURITY.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..8a97772 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,29 @@ +# Security + +GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). + +Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. + +## Reporting Security Issues + +If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure. + +**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** + +Instead, please send an email to . + +Please include as much of the information listed below as you can to help us better understand and resolve the issue: + +* The type of issue (e.g., improper input handling, token exposure, unauthorized access to GitHub API, or API abuse in the spell and grammar checking process) +* Full paths of source file(s) related to the manifestation of the issue +* The location of the affected source code (tag/branch/commit or direct URL) +* Any special configuration required to reproduce the issue +* Step-by-step instructions to reproduce the issue +* Proof-of-concept or exploit code (if possible) +* Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your report more quickly. + +## Policy + +See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms) From 63f15249abf6fbbd914c2d5932e619df45e1c715 Mon Sep 17 00:00:00 2001 From: Rahul-4480 Date: Tue, 15 Oct 2024 13:52:32 +0530 Subject: [PATCH 2/8] refactor: replace references to github with infraspec --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 8a97772..abba173 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,6 @@ # Security -GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). +GitHub takes the security of our software products and services seriously, including all open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/infraspecdev/). Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. From 9a5bf19eb2ccf7509c1c444fe88f49a32d47f332 Mon Sep 17 00:00:00 2001 From: Rahul-4480 Date: Tue, 15 Oct 2024 13:53:36 +0530 Subject: [PATCH 3/8] refactor: replace email to security@infraspec.dev --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index abba173..98a958d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -10,7 +10,7 @@ If you believe you have found a security vulnerability in any GitHub-owned repos **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** -Instead, please send an email to . +Instead, please send an email to . Please include as much of the information listed below as you can to help us better understand and resolve the issue: From e3c6164e73d90cbdd6e41d3732e0ed8720b4c164 Mon Sep 17 00:00:00 2001 From: Rahul-4480 Date: Tue, 15 Oct 2024 13:54:43 +0530 Subject: [PATCH 4/8] refactor: remove the references to bug bounty --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 98a958d..9233407 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,7 @@ GitHub takes the security of our software products and services seriously, including all open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/infraspecdev/). -Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. +If you find any security vulnerabilities in our open source projects, please report them. We will ensure that your findings are passed along to the appropriate maintainers for remediation. ## Reporting Security Issues From fbb38bc3cef31a626948b64ded11cba3d7912aa6 Mon Sep 17 00:00:00 2001 From: Rahul-4480 Date: Tue, 15 Oct 2024 13:55:10 +0530 Subject: [PATCH 5/8] refactor: remove the references under policy --- SECURITY.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9233407..9b76e99 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -23,7 +23,3 @@ Please include as much of the information listed below as you can to help us bet * Impact of the issue, including how an attacker might exploit the issue This information will help us triage your report more quickly. - -## Policy - -See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms) From d26b09f780dedbbfbe4dd7084e4186c29929ad4a Mon Sep 17 00:00:00 2001 From: Rahul-4480 Date: Tue, 15 Oct 2024 15:31:37 +0530 Subject: [PATCH 6/8] refactor: rename Github to Infraspec --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 9b76e99..7eb75b4 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,6 @@ # Security -GitHub takes the security of our software products and services seriously, including all open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/infraspecdev/). +Infraspec takes the security of our software products and services seriously, including all open-source code repositories managed through our GitHub organization, [Infraspec](https://github.com/infraspecdev/). If you find any security vulnerabilities in our open source projects, please report them. We will ensure that your findings are passed along to the appropriate maintainers for remediation. From b473732540c72f0015f987b2ab84b7fc401a831c Mon Sep 17 00:00:00 2001 From: Rahul-4480 Date: Tue, 15 Oct 2024 15:32:54 +0530 Subject: [PATCH 7/8] refactor: remove GitHub examples like unauthorized access to GitHub API --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 7eb75b4..355627e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -14,7 +14,7 @@ Instead, please send an email to . Please include as much of the information listed below as you can to help us better understand and resolve the issue: -* The type of issue (e.g., improper input handling, token exposure, unauthorized access to GitHub API, or API abuse in the spell and grammar checking process) +* The type of issue (e.g., improper input handling, token exposure or API abuse in the spell and grammar checking process) * Full paths of source file(s) related to the manifestation of the issue * The location of the affected source code (tag/branch/commit or direct URL) * Any special configuration required to reproduce the issue From 8431e0c1c455b8e0c00535952e711fa460562476 Mon Sep 17 00:00:00 2001 From: Rahul-4480 Date: Tue, 15 Oct 2024 17:45:10 +0530 Subject: [PATCH 8/8] refactor: replace Github references to Infraspec --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 355627e..dd3dead 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,14 +1,14 @@ # Security -Infraspec takes the security of our software products and services seriously, including all open-source code repositories managed through our GitHub organization, [Infraspec](https://github.com/infraspecdev/). +Infraspec takes the security of our software products and services seriously, including all open-source code repositories managed through our organization, [Infraspec](https://github.com/infraspecdev/). If you find any security vulnerabilities in our open source projects, please report them. We will ensure that your findings are passed along to the appropriate maintainers for remediation. ## Reporting Security Issues -If you believe you have found a security vulnerability in any GitHub-owned repository, please report it to us through coordinated disclosure. +If you believe you have found a security vulnerability in any Infraspec-owned repository, please report it to us through coordinated disclosure. -**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** +**Please do not report security vulnerabilities through public issues, discussions, or pull requests in Infraspec repositories.** Instead, please send an email to .