If you find a significant vulnerability or evidence of one, please report it privately.
We prefer that you use the GitHub mechanism for privately reporting a vulnerability. Under the main repository's security tab, click "Report a vulnerability" to open the advisory form.
This document outlines the security measures to ensure the confidentiality, integrity, and availability of our systems and data. All team members must understand and adhere to these policies.
Access to our systems and data will be granted based on the principle of least privilege. This means that users are given only the minimum access necessary to perform their job functions. Access levels will be reviewed regularly and adjusted as needed.
All users are required to create strong, unique passwords for all accounts used within our organization. Passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols, and under no circumstance shared with anyone.
Multi-factor authentication is required for all user accounts. This adds an additional layer of security by requiring a second form of verification, such as a text message or email code, in addition to the password.
Regular backups of all data will be taken and stored offsite. Data backups will be tested regularly to ensure they can be restored in case of a disaster.
All systems will have up-to-date antivirus software installed. Software installations will be restricted to approved sources, and all software updates will be applied promptly.
A disaster recovery plan (DRP) ensures that we can quickly recover from any disruptions to our systems or data. The DRP includes procedures for notifying team members, restoring data from backups, and redirecting traffic to backup systems if necessary.
Regular system maintenance will ensure the availability of our systems. This includes patching software, monitoring server performance, and conducting regular vulnerability assessments.
If you suspect a security issue or breach, report it to your supervisor or the IT department immediately. Do not share any details about the suspected issue on social media or with anyone outside of the organization until the matter has been properly investigated and addressed.