First draft of instructions to report security vulnerabilities

This commit is contained in:
Ryan Richard 2020-08-27 15:02:11 -07:00
parent 9ecc88a898
commit f6ea93e273
2 changed files with 16 additions and 0 deletions

View File

@ -66,6 +66,10 @@ Contributions are welcome. Before contributing, please see
the [Code of Conduct](doc/code-of-conduct.md) and the [Code of Conduct](doc/code-of-conduct.md) and
[the contributing guide](doc/contributing.md). [the contributing guide](doc/contributing.md).
## Reporting Security Vulnerabilities
Please follow the procedure described in [SECURITY.md](SECURITY.md).
## License ## License
Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE) file. Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE) file.

12
SECURITY.md Normal file
View File

@ -0,0 +1,12 @@
# Reporting a Vulnerability
Pinniped development is sponsored by VMware, and the Pinniped team encourages users
who become aware of a security vulnerability in Pinniped to report any potential
vulnerabilities found to security@vmware.com. If possible, please include a description
of the effects of the vulnerability, reproduction steps, and a description of in which
version of Pinniped or its dependencies the vulnerability was discovered.
The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055.
The Pinniped team hopes that users encountering a new vulnerability will contact
us privately as it is in the best interests of our users that the Pinniped team has
an opportunity to investigate and confirm a suspected vulnerability before it becomes public knowledge.