-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6 from bis-med-it/security_policy
Create SECURITY.md
- Loading branch information
Showing
1 changed file
with
37 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # Security Policy | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| We are committed to maintaining the security of our software. However, our resources are limited to providing security patches only for the latest combination of minor and major versions of our software. | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| We take the security of our software seriously. If you believe you have found a security vulnerability in our software, we encourage you to report it to us as soon as possible. Please follow these steps: | ||
|
|
||
| 1. **Do Not Publish the Vulnerability**: Publicly disclosing a vulnerability can put the entire community at risk. We ask that you do not share or publicize an unresolved vulnerability to/with third parties. | ||
|
|
||
| 2. **Report Confidentially**: Please email us at [statistics@bis.org](mailto:statistics@bis.org) with the details of the vulnerability. The report should include: | ||
| - A description of the vulnerability and its potential impact. | ||
| - Steps to reproduce or proof-of-concept (PoC). | ||
| - Any relevant screenshots or output. | ||
|
|
||
| 3. **Response and Collaboration**: Our security team will review your report and may contact you for further information. Once the vulnerability is confirmed, we will work with you to assess and understand its impact and develop a mitigation or fix. | ||
|
|
||
| 4. **Acknowledgment**: After the vulnerability has been resolved, we will acknowledge your contribution in our release notes, unless you prefer to remain anonymous. | ||
|
|
||
| ## Security Patch Release Process | ||
|
|
||
| When a vulnerability is discovered, either through internal processes or via an external report, the following process will be followed: | ||
|
|
||
| 1. **Vulnerability Assessment**: Our security team will assess the severity and impact of the vulnerability. | ||
|
|
||
| 2. **Patch Development**: A patch will be developed for the latest supported version. | ||
|
|
||
| 3. **Release and Notification**: Once the patch is ready, it will be released as part of a new version. We will notify users of the need to update through our communication channels (e.g., repository release notes). | ||
|
|
||
| 4. **Backporting**: In exceptional cases, where a vulnerability has a high impact, we may consider backporting the patch to earlier versions. This decision will be made on a case-by-case basis. | ||
|
|
||
| Thank you for helping us keep our software secure. | ||
|
|
||
| --- | ||
| This policy is subject to change at the discretion of the project maintainers. |