Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
fcb0d31
commit c8a117b
Showing
2 changed files
with
71 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,72 @@ | ||
| # Security Policy | ||
| # Vulnerability Disclosure Policy | ||
|
|
||
| ## Reporting a Vulnerability | ||
| ## Introduction | ||
|
|
||
| Please report vulnerabilities to caldera@mitre.org | ||
| This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. | ||
|
|
||
| Please include: | ||
| - Affected version | ||
| - Steps to reproduce | ||
| - (optional) suggested fix | ||
| This policy describes **what systems and types of research** are covered under this policy, **how to send us** vulnerability reports, and **how long** we ask security researchers to wait before publicly disclosing vulnerabilities. | ||
|
|
||
| ## Supported Versions | ||
| We encourage you to contact us to report potential vulnerabilities in our systems. | ||
|
|
||
| **For vulnerability reports email us at <caldera@mitre.org>**. Reports may be submitted anonymously. | ||
|
|
||
| ## Authorization | ||
|
|
||
| If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized we will work with you to understand and resolve the issue quickly. | ||
|
|
||
| ## Guidelines | ||
|
|
||
| Under this policy, "research" means activities in which you: | ||
|
|
||
| - Notify us as soon as possible after you discover a real or potential security issue. | ||
|
|
||
| - Only use exploits to the extent necessary to confirm a vulnerability's presence. | ||
|
|
||
| - Provide us a reasonable amount of time to resolve the issue before you disclose it publicly. | ||
|
|
||
| - Do not submit a high volume of low-quality reports. | ||
|
|
||
| ## Reporting a vulnerability | ||
|
|
||
| Information submitted under this policy will be used for defensive purposes only, i.e. to mitigate or remediate vulnerabilities. Since CALDERA is run by a not-for-profit and is open source by nature, by | ||
| submitting a vulnerability, you acknowledge that you have no expectation of payment. However, we will ensure that credit is given to the bug finder. | ||
|
|
||
| ## What we would like to see from you | ||
|
|
||
| To help us triage and prioritize submissions, please include the following in your report: | ||
|
|
||
| - Affected version of CALDERA (committed hash or version number), operating system used, and python version. | ||
|
|
||
| - Describe the location the vulnerability was discovered and the potential impact of exploitation. | ||
|
|
||
| - Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful). | ||
|
|
||
| - Be in English, if possible. | ||
|
|
||
| ## What you can expect from us | ||
|
|
||
| When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible. | ||
|
|
||
| - Within ***10 business days***, we will acknowledge that your report has been received. | ||
|
|
||
| - After notifying the CALDERA team, we will open reported issues to the public within ***90 days***, or after a fix is released (whichever comes first). | ||
|
|
||
| - To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution. | ||
|
|
||
| - We will maintain an open dialogue to discuss issues. | ||
|
|
||
| - We will work with you in issuing a CVE and receiving proper credit for helping us secure our platform. | ||
|
|
||
| ## Questions | ||
|
|
||
| Questions regarding this policy may be sent to [**caldera@mitre.org**](mailto:caldera@mitre.org). We also invite you to contact us with suggestions for improving this policy. | ||
|
|
||
| ## Document change history | ||
|
|
||
| ----------------------------------------------------------------------------- | ||
| **Version** **Date** **Description** | ||
| ------------- --------------------------------------- ----------------------- | ||
| 1.0 *Nov 15, 2022* First issuance. | ||
|
|
||
| ----------------------------------------------------------------------------- | ||
|
|
||
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | >= 2.9.x | :white_check_mark: | | ||
| | < 2.9 | :x: | |