matterbridge/vendor/github.com/lrstanley/girc/SECURITY.md
2022-04-12 00:30:21 +02:00

2.9 KiB

🗝️ Security Policy

✔️ Supported Versions

The following restrictions apply for versions that are still supported in terms of security and bug fixes:

  • Must be using the latest major/minor version.
  • Must be using a supported platform for the repository (e.g. OS, browser, etc), and that platform must be within its supported versions (for example: don't use a legacy or unsupported version of Ubuntu or Google Chrome).
  • Repository must not be archived (unless the vulnerability is critical, and the repository moderately popular).
  • ✔️

If one of the above doesn't apply to you, feel free to submit an issue and we can discuss the issue/vulnerability further.

🐞 Reporting a Vulnerability

Best method of contact: GPG 🔑

  • 💬 Discord: message /home/liam#0000.
  • 📧 Email: security@liamstanley.io

Backup contacts (if I am unresponsive after 48h): GPG 🔑

  • 💬 Discord: message Allen#7440.
  • 📧 Email: security@allenlydiard.ca

If you feel that this disclosure doesn't include a critical vulnerability and there is no sensitive information in the disclosure, you don't have to use the GPG key. For all other situations, please use it.

⏱️ Vulnerability disclosure expectations

  • 🔕 We expect you to not share this information with others, unless:
    • The maximum timeline for initial response has been exceeded (shown below).
    • The maximum resolution time has been exceeded (shown below).
  • 🔎 We expect you to responsibly investigate this vulnerability -- please do not utilize the vulnerability beyond the initial findings.
  • ⏱️ Initial response within 48h, however, if the primary contact shown above is unavailable, please use the backup contacts provided. The maximum timeline for an initial response should be within 7 days.
  • ⏱️ Depending on the severity of the disclosure, resolution time may be anywhere from 24h to 2 weeks after initial response, though in most cases it will likely be closer to the former.
    • If the vulnerability is very low/low in terms of risk, the above timelines will not apply.
  • 🧰 Before the release of resolved versions, a GitHub Security Advisory. will be released on the respective repository. Browser all advisories here.