-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: how to report security vulnerabilities
- Loading branch information
Showing
1 changed file
with
29 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Security (Top level page) | ||
|
||
## Vulnerability reporting (security issues) | ||
|
||
We gratefully welcome vulnerability reports! | ||
|
||
If you find a significant vulnerability, or evidence of one, | ||
please send an email to the security contacts that you have such | ||
information, and we'll tell you the next steps. | ||
|
||
For now, the security contacts are listed in the AUTHORS file at the root of | ||
this project's repository. | ||
|
||
Please use an email system (like Gmail) that supports | ||
hop-to-hop encryption using STARTTLS when reporting vulnerabilities. | ||
Examples of such systems include Gmail, Outlook.com, and runbox.com. | ||
See [STARTTLS Everywhere](https://starttls-everywhere.org/) | ||
if you wish to learn more about efforts to encourage the use of STARTTLS. | ||
Your email client should use encryption to communicate with | ||
your email system (i.e., if you use a web-based email client then use HTTPS, | ||
and if you use email client software then configure it to use encryption). | ||
Hop-to-hop encryption isn't as strong as end-to-end encryption, | ||
but we've decided that it's strong enough for this purpose | ||
and it's much easier to get everyone to use it. | ||
|
||
We will gladly give credit to anyone who reports a vulnerability | ||
so that we can fix it. | ||
If you want to remain anonymous or pseudonymous instead, | ||
please let us know that; we will gladly respect your wishes. |