This document describes the security policy and reporting procedures for the iris-client project.
If you want to report a bug which is not security sensible, please submit an issue.
Our team takes all security issues in IRIS seriously.
If you want to report a security issue we appreciate your effort and kindly ask you to submit a responsible disclosure.
Unfortunately, IRIS does not offer a bug bounty programme or other forms of monetary compensation yet.
However, we plan to join a bug bounty platform like HackerOne in the long-term.
Also, we can acknowledge your effort publicly in the GitHub project.
Thank you for improving the security of the IRIS project!
Report security issues via email at security@iris-connect.de.
The IRIS team acknowledges your email within 24 hours and will further respond in detail within 48 hours, explaining the induced actions.
Our security team will keep you up to date of the progress towards fixing the vulnerability and may ask you for additional information.
Please report security issues in third-party dependencies to the person or team maintaining the project for this dependency.
When we receive a security bug report, we will assign it to a person who handles your disclosure.
This person is responsible for the following steps of the fix process:
- Confirm the problem and identify affected versions
- Audit code for finding similar problems
- Develop fixes for all affected versions
- Release fixes as quick as possible
Feedback on this policy and the process is welcome and if you want to suggest how to improve it, we kindly ask you to submit a pull request.