From f6ea93e2739e79b49dafc355eb93cad49766d50b Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Thu, 27 Aug 2020 15:02:11 -0700 Subject: [PATCH] First draft of instructions to report security vulnerabilities --- README.md | 4 ++++ SECURITY.md | 12 ++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index 8bac3eba..08a86d9a 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,10 @@ Contributions are welcome. Before contributing, please see the [Code of Conduct](doc/code-of-conduct.md) and [the contributing guide](doc/contributing.md). +## Reporting Security Vulnerabilities + +Please follow the procedure described in [SECURITY.md](SECURITY.md). + ## License Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE) file. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..ad936e3e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,12 @@ +# Reporting a Vulnerability + +Pinniped development is sponsored by VMware, and the Pinniped team encourages users +who become aware of a security vulnerability in Pinniped to report any potential +vulnerabilities found to security@vmware.com. If possible, please include a description +of the effects of the vulnerability, reproduction steps, and a description of in which +version of Pinniped or its dependencies the vulnerability was discovered. +The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055. + +The Pinniped team hopes that users encountering a new vulnerability will contact +us privately as it is in the best interests of our users that the Pinniped team has +an opportunity to investigate and confirm a suspected vulnerability before it becomes public knowledge.