getporter · schristoff · Apr 8, 2024 · Mar 28, 2024 · Apr 5, 2024
@@ -0,0 +1,36 @@
+# Security policy
+
+## Communication
+
+We will publish known vulnerabilities through a [GitHub Security Advisory](https://github.com/getporter/porter/security/advisories) once they have been addressed to inform the community of their potential scope, impact, and mitigation.
+
+## Reporting a vulnerability
+
+Porter and its maintainers takes the security of the project seriously, and we appreciate your efforts to responsibly disclose your findings to us.
+
+> **Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them through our [private vulnerability reporting](https://github.com/getporter/porter/security/advisories/new) form.
+
+It should contain: 
+        * description of the problem
+        * precise and detailed steps (include screenshots) that created the
+          problem
+        * the affected version(s)
+        * any possible mitigations, if known
+   You will receive a reply from one of the maintainers within **3 days**
+   acknowledging receipt of the email.
+
+   You may be contacted by a Porter project maintainerto further discuss the reported item.
+   Please bear with us as we seek to understand the breadth and scope of the
+   reported problem, recreate it, and confirm if there is a vulnerability
+   present.
+
+
+This project follows a **10 disclosure timeline**. Refer to our [embargo policy](./embargo-policy.md) for more information.
+
+## Supported Versions
+
+Porter remains in the process of getting to a stable v1.0 release, and as such does not currently provide a long-term supported version.
+We make a good faith effort to respond to security issues in a timely manner and will release version updates as needed to address them.
+Users should expect to upgrade to the latest release version to stay current on security updates.
@@ -0,0 +1,17 @@
+# Security Contacts
+
+Defined below are the security persons of contact for this project. If you have
+questions regarding the triaging and handling of incoming problems, they may be
+contacted.
+
+The following security contacts have agreed to abide by the Embargo Policy $LINK
+and will be removed and replaced if found to be in violation of that agreement.
+
+DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, USE THE
+INSTRUCTIONS AT [VULNERABILITY REPORTING FORM](https://github.com/getporter/porter/security/advisories/new)
+
+Security Contacts:
+
+* [Sarah Christoff](https://github.com/schristoff)
+* [Steven Gettys](https://github.com/sgettys)
+* [Brian DeGeeter](https://github.com/bdegeeter)
@@ -0,0 +1,30 @@
+# Embargo Policy
+
+This policy forbids members of this project's [security contacts](./SECURITY_CONTACTS.md) and others
+defined below from sharing information outside of the security contacts and this
+listing without need-to-know and advance notice.
+
+The information members and others receive from the list defined below must:
+
+* not be made public,
+* not be shared,
+* not be hinted at
+* must be kept confidential and close held
+
+Except with the list's explicit approval. This holds true until the public
+disclosure date/time that was agreed upon by the list.
+
+If information is inadvertently shared beyond what is allowed by this policy,
+you are REQUIRED to inform the [security contacts](./SECURITY_CONTACTS.md) of exactly what
+information leaked and to whom. A retrospective will take place after the leak
+so we can assess how to not make this mistake in the future.
+
+Violation of this policy will result in the immediate removal and subsequent
+replacement of you from this list or the Security Contacts.
+
+## Disclosure Timeline
+
+This project sustains a **10 disclosure timeline** to ensure we provide a
+quality, tested release. On some occasions, we may need to extend this timeline
+due to complexity of the problem, lack of expertise available, or other reasons.
+Submitters will be notified if an extension occurs.