Skip to content

Latest commit

 

History

History
51 lines (35 loc) · 2.94 KB

SECURITY.md

File metadata and controls

51 lines (35 loc) · 2.94 KB
Raw

Vulnerability Disclosure Policy

We take the security of our software and systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We ask that all security researchers:

  • Respect the rules. Operate within the rules set forth in these guidelines, or speak up if in strong disagreement with the rules.
  • Respect privacy. Make a good faith effort not to access or destroy another user's data. Avoid degradation of user experience, disruption to production systems, and destruction of data.
  • Be patient. Make a good faith effort to clarify and support on arising questions. Keep information about any vulnerabilities you’ve discovered confidential between yourself and the vendor until the issue is resolved with a public security announcement (typically within 50 days).
  • Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
  • Use the communication channel below to report vulnerability information to us. Do not use personal emails, social media accounts, or other private connections to contact a member of a security team in regards to vulnerabilities or any program related issues, unless you have been instructed to do so.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 1 week of submission);
  • Recognize your contribution in the security announcement and list your name as a contributor to our software (under the condition that you are the first to report the issue and it results in a source code or configuration change).

Scope

  • ((OTRS)) Community Edition developed and maintained by Centuran Consulting
  • Additional packages and utilities developed for ((OTRS)) Community Edition by Centuran Consulting
  • Instances of ((OTRS)) Community Edition managed or operated by Centuran Consulting

Out of Scope

Any services hosted by 3rd party providers are excluded from scope. These services include instances hosted by external parties and forks of ((OTRS)) Community Edition developed and maintained by other vendors.

How to Report a Security Vulnerability?

If you believe you’ve found a security vulnerability in our software, please send contact us at security@otrscommunityedition.com. Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability
  • A detailed description of the steps required to reproduce the vulnerability (such as PoC scripts, screenshots, and compressed screen captures)
  • Your name for recognition in the announcement and the list of contributors to our software. If you wish to remain anonymous, we encourage you to submit your findings under a pseudonym.