Skip to content

Latest commit

 

History

History
52 lines (30 loc) · 2.55 KB

SECURITY.md

File metadata and controls

52 lines (30 loc) · 2.55 KB

Security Policy

The Defence Digital Security Policy is to avoid leaving the ecosystem worse than we found it. Meaning we are not planning to introduce vulnerabilities into the ecosystem.

The Royal Navy Design System team takes security vulnerabilities in the Royal Navy Design System seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

Supported Versions

The below table details which versions of the Royal Navy Design System documentation site are supported with bug fixes and security updates:

Version Supported
1.x

Version and release note documentation

Reporting a Vulnerability

Please report vulnerabilities to us using the guidelines outlined below.

To report a security issue, email design-system@digital.mod.uk include the word "SECURITY" in the subject line.

Please include:

  • Your name and affiliation (if any)
  • A brief description of the vulnerability
  • The website page or repository component where the vulnerability exists
  • Steps to identify the vulnerability. It is important that we can reproduce your findings.
  • Optionally the type of vulnerability and any OWASP category

The Royal Navy Digital Standards team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Qualifying Vulnerabilities

Any reproducible vulnerability that has a severe effect on the security or privacy of our users is likely to be in scope for the program. Common examples include Cross-site scripting (XSS), Server-side code injection (SSI), Cross-site request forgery (CSRF), Server-side request forgery (SSRF), Remote code execution (RCE), Sensitive data exposure and privilege escalation.

The following are not in scope: volumetric vulnerabilities, for example overwhelming a service with a high volume of requests

Usage Recommendations

We recommend following the OWASP guidance for developing secure Node.js applications

Known Security Gaps & Future Enhancements

We will publish here any known security improvements we have not got to yet. We welcome contributions.

Contact

design-system@digital.mod.uk

Defence Digital security policy version 1.1.0