From bf4d42fa5321042dc9c893d566a4dff1a15a2ab0 Mon Sep 17 00:00:00 2001 From: Hari Chalise Date: Tue, 10 Dec 2024 01:29:17 +0545 Subject: [PATCH] Security Policy & Notes (#4) Co-authored-by: aayush <177418358+aayushrg7@users.noreply.github.com> Co-authored-by: Smriti Bhandari <187972284+smritics@users.noreply.github.com> --- .github/SECURITY.md | 52 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000..5ec16a1 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,52 @@ +# Security Policy for Carch + +## Introduction + +The security of the **Carch** project is of utmost importance to us. We are committed to addressing vulnerabilities in a timely manner to ensure the safety and reliability of our software. This document outlines our process for reporting and handling security vulnerabilities. + +## Reporting a Vulnerability + +If you discover a potential security vulnerability in **Carch**, please report it promptly by following these guidelines to ensure an efficient response: + +### 1. Report Method + +You can report vulnerabilities using one of the following methods: +- **Email**: Send a detailed report to our security email at [harilvfs@chalisehari.com.np](mailto:harilvfs@chalisehari.com.np). +- **Report Form**: Fill out the [Report Form](https://github.com/harilvfs/carch/security/advisories/new). +- **GitHub Issues**: Create a private issue in this repository and label it with "security." Ensure that the issue remains private to protect sensitive information. + +### 2. Information to Include + +To facilitate a thorough investigation, please include the following information in your report: +- **Description**: A clear and concise description of the vulnerability. +- **Reproduction Steps**: Step-by-step instructions to reproduce the issue, including any specific configurations or environments. +- **Impact Assessment**: An explanation of the potential impact of the vulnerability (e.g., data exposure, system compromise). +- **Mitigation Strategies**: Any recommendations for mitigating the vulnerability until a fix is implemented. + +### 3. Response Time + +Upon receiving your report, we will: +- Acknowledge the receipt of your report within **48 hours**. +- Provide you with an estimated timeline for our investigation. + +### 4. Updates + +You will receive regular updates on the status of your report, including: +- A confirmation of whether the vulnerability is accepted for investigation. +- Ongoing progress updates throughout the assessment and remediation process. +- Notifications of any decisions regarding the vulnerability. + +### 5. Disclosure Policy + +Once a vulnerability is confirmed and a fix is implemented: +- We will release an update addressing the vulnerability as soon as possible. +- If you wish, we will credit you as the reporter in the release notes. +- We will inform the community about the vulnerability, its impact, and the resolution measures taken. + +## Conclusion + +Thank you for your vigilance and commitment to keeping **Carch** secure. We appreciate your cooperation and dedication to improving our project's security. If you have any questions or need further assistance, please don’t hesitate to reach out. + +--- + +Your contributions help us maintain a secure and reliable environment for all users of **Carch**!