forked from jshiffer/matterbridge
55 lines
2.9 KiB
Markdown
55 lines
2.9 KiB
Markdown
|
<!-- THIS FILE IS GENERATED! DO NOT EDIT! Maintained by Terraform. -->
|
||
|
# :old_key: Security Policy
|
||
|
|
||
|
## :heavy_check_mark: Supported Versions
|
||
|
|
||
|
The following restrictions apply for versions that are still supported in terms of security and bug fixes:
|
||
|
|
||
|
* :grey_question: Must be using the latest major/minor version.
|
||
|
* :grey_question: Must be using a supported platform for the repository (e.g. OS, browser, etc), and that platform must
|
||
|
be within its supported versions (for example: don't use a legacy or unsupported version of Ubuntu or
|
||
|
Google Chrome).
|
||
|
* :grey_question: Repository must not be archived (unless the vulnerability is critical, and the repository moderately
|
||
|
popular).
|
||
|
* :heavy_check_mark:
|
||
|
|
||
|
If one of the above doesn't apply to you, feel free to submit an issue and we can discuss the
|
||
|
issue/vulnerability further.
|
||
|
|
||
|
|
||
|
## :lady_beetle: Reporting a Vulnerability
|
||
|
|
||
|
Best method of contact: [GPG :key:](https://github.com/lrstanley.gpg)
|
||
|
|
||
|
* :speech_balloon: [Discord][chat]: message `/home/liam#0000`.
|
||
|
* :email: Email: `security@liamstanley.io`
|
||
|
|
||
|
Backup contacts (if I am unresponsive after **48h**): [GPG :key:](https://github.com/FM1337.gpg)
|
||
|
* :speech_balloon: [Discord][chat]: message `Allen#7440`.
|
||
|
* :email: Email: `security@allenlydiard.ca`
|
||
|
|
||
|
If you feel that this disclosure doesn't include a critical vulnerability and there is no sensitive
|
||
|
information in the disclosure, you don't have to use the GPG key. For all other situations, please
|
||
|
use it.
|
||
|
|
||
|
### :stopwatch: Vulnerability disclosure expectations
|
||
|
|
||
|
* :no_bell: We expect you to not share this information with others, unless:
|
||
|
* The maximum timeline for initial response has been exceeded (shown below).
|
||
|
* The maximum resolution time has been exceeded (shown below).
|
||
|
* :mag_right: We expect you to responsibly investigate this vulnerability -- please do not utilize the
|
||
|
vulnerability beyond the initial findings.
|
||
|
* :stopwatch: Initial response within 48h, however, if the primary contact shown above is unavailable, please
|
||
|
use the backup contacts provided. The maximum timeline for an initial response should be within
|
||
|
7 days.
|
||
|
* :stopwatch: Depending on the severity of the disclosure, resolution time may be anywhere from 24h to 2
|
||
|
weeks after initial response, though in most cases it will likely be closer to the former.
|
||
|
* If the vulnerability is very low/low in terms of risk, the above timelines **will not apply**.
|
||
|
* :toolbox: Before the release of resolved versions, a [GitHub Security Advisory][advisory-docs].
|
||
|
will be released on the respective repository. [Browser all advisories here][advisory].
|
||
|
|
||
|
<!-- definitions -->
|
||
|
[chat]: https://liam.sh/chat
|
||
|
[advisory]: https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago
|
||
|
[advisory-docs]: https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory
|