From b50abb227f754f88a4aaebdbf0c45ddccc1b58f6 Mon Sep 17 00:00:00 2001 From: Adrian Catangiu Date: Mon, 27 Apr 2020 11:00:09 +0300 Subject: [PATCH] added security policy document Signed-off-by: Adrian Catangiu --- SECURITY-POLICY.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 SECURITY-POLICY.md diff --git a/SECURITY-POLICY.md b/SECURITY-POLICY.md new file mode 100644 index 0000000..3d7b974 --- /dev/null +++ b/SECURITY-POLICY.md @@ -0,0 +1,22 @@ +# Security Issue Policy + +If you uncover a security issue with versionize, please write to us on +. + +Once the Firecracker [maintainers](MAINTAINERS.md) become aware (or are made +aware) of a security issue, they will immediately assess it. Based on impact +and complexity, they will determine an embargo period (if externally reported, +the period will be agreed upon with the external party). + +During the embargo period, maintainers will prioritize developing a fix over +other activities. Within this period, maintainers may also notify a limited +number of trusted parties via a pre-disclosure list, providing them with +technical information, a risk assessment, and early access to a fix. + +The external customers are included in this group based on the scale of their +versionize usage in production. The pre-disclosure list may also contain +significant external security contributors that can join the effort to fix the +issue during the embargo period. + +At the end of the embargo period, maintainers will publicly release information +about the security issue together with the versionize patches that mitigate it.