Note By interacting with @svengreb projects, organizations, and their communities you agree to abide to its code of conduct and follow general open source contribution guidelines and etiquettes!
This document outlines security procedures and policies for security vulnerabilities in @svengreb projects.
The security of projects is taken seriously, which includes all @svengreb (source code) repositories as well as any managed organization, or organizations this account is part of with a maintainer-like role, and their communities.
If you believe you have found a security vulnerability 1 in any repository that meets the definition of vulnerabilities, please report it as described below.
Reports should only be related to…
- projects within the
@svengreb
GitHub account. Only code that is actually owned by @svengreb, or any managed organization, is supported while issues related to upstream projects, e.g. plugins or extensions, must be reported to the corresponding maintainers or companies of the upstream project. Support to report issues to the upstream team might be provided, but we are not responsible for security vulnerabilities in upstream projects in any way. - any (GitHub) organization managed by @svengreb, or organizations this account is part of with a maintainer-like role, and their communities.
The same scope applies like for projects within the
@svengreb
GitHub account, but additionally the task of the security vulnerability handling and disclosure process is part of the corresponding maintainer team when the project is also maintained by a community. Of course @svengreb will aid in closing issues as quickly as possible, but the main administration lies with the respective maintainers.
Warning Never report security vulnerabilities through public GitHub issues or any other public (communication) channel or platform!
Instead, please report security vulnerabilities by either…
- …using GitHub‘s “Private Security Vulnerability Reporting“ system.
- …sending an email to security@svengreb.de, if you prefer to submit without logging in or creating a GitHub account. If possible, please encrypt your email with Sven Greb‘s Age 2 or PGP 3 (GPG) key where both can be found in the GitHub organization
.github
repository 4 5 and inlined below this list. - …writing a private message in Matrix to
@svengreb:matrix.org
or join the official Matrix space of the specific project to ask for further help to submit a report. Alternatively, contactsvengreb#2186
on Discord or any verified community moderator or manager in official servers of specific projects. Please note that both community platforms are public areas. When escalating to that address please do not discuss the issue in public, e.g. no private messaging chats, but simply ask for ways to get a hold of someone from the project team if both direct contacts listed above are not available at the moment.
Public keys for encrypted communications:
Age
age1ul0s8ctrsdydx68qs3t66ev5uhq700dt49pnqz3enh59qcrcyvasq7gvw8r
PGP (GPG)
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZDvNbhYJKwYBBAHaRw8BAQdAAEZ+vBmlMnqdThx/vffo1TNpsFY0GxeJLelk tONB+ua0JVN2ZW4gR3JlYiAoc3ZlbmdyZWIpIDxtZUBzdmVuZ3JlYi5kZT6IkwQT FgoAOxYhBJq2ns8GnhxoSWFy9p7D3JDapH2qBQJkO81uAhsDBQsJCAcCAiICBhUK CQgLAgQWAgMBAh4HAheAAAoJEJ7D3JDapH2qvn8A/0+U0gGqHM8OIRBtw0UPqaop x5ojQ1FPZus5Upbcy+YaAP0YwCVnz4qrg9S/rQ5G0igRMidCl1InVRJ6ict3oTf5 CLg4BGQ7zW4SCisGAQQBl1UBBQEBB0AU2br3WMbWE37vQRI1xC9f1qq5HBWY9cYc SUO7D0wKEQMBCAeIeAQYFgoAIBYhBJq2ns8GnhxoSWFy9p7D3JDapH2qBQJkO81u AhsMAAoJEJ7D3JDapH2qFHUBAPFMiNWO7iiv0j7Syj5RTWHE15wb4YbV2MKJ4bqr YvqtAQDJPujvk/2c0Og4nUGs0lBvU9dIicc5Va/JyjDAIK0JBg== =Kb0/ -----END PGP PUBLIC KEY BLOCK-----
Please include as much information as possible, using the questions listed below as a guideline, to help us better understand the nature and scope of the possible issue and help us triage the report more quickly:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
Note that all communications, following the global standard, must be in English to ensure that the process can take place with as few language barriers as possible and to avoid possible translation problems during the process.
Confirmed vulnerabilities will be investigated and patched as quickly as possible and rolled out to affected users through a patch or minor release version, depending on the status of the current project development, release cycle process and ways to backport to other supported versions.
Resolved security vulnerabilities will be made public as advisory []6 []7 on GitHub and, in most cases, additionally announced via other official communication channels and platforms. This might also include a guide on how to apply mitigating steps to aid users in closing the security vulnerability as simply as possible.
Copyright © 2016-present Sven Greb
Footnotes
-
https://github.com/svengreb/.github/blob/main/data/svengreb.age.txt.pub ↩
-
https://github.com/svengreb/.github/blob/main/data/svengreb.gpg.asc ↩
-
https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities ↩
-
https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure ↩