Skip to content

security.md: expand on reporting issues with responsible disclosures #1268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aronowski wants to merge 1 commit into
base: master
Choose a base branch
from
Open

security.md: expand on reporting issues with responsible disclosures #1268

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 24 additions & 5 deletions docs/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,28 @@
you can demonstrate an actual security vulnerability or provide us with
reasonable steps we could follow to verify your claims.

If you’ve discovered a security issue affecting Dasharo, please send an
encrypted (using [Dasharo security team PGP key][sec-key] e-mail to this
address: `security@dasharo.com`. Please not that unencrypted e-mails sent to
this address may be ignored.
If you've discovered a security issue affecting Dasharo, either directly or
indirectly (e.g., the issue affects Dasharo Tools Suite, which is commonly used
to maintain Dasharo installation and updates), then we would be more than happy
to hear from you! We promise to take all reported issues seriously. If our
investigation confirms that an issue affects Dasharo, we will patch it within a
reasonable time and release a public Dasharo Security Bulletin (DSB) that
describes the issue, discusses the potential impact of the vulnerability,
references applicable patches or workarounds, and credits the discoverer.
Please use the [Dasharo Security Team PGP key][sec-key] to encrypt your email
to this address:

[sec-key]: https://github.com/3mdeb/3mdeb-secpack/tree/master/keys/security-team/dasharo-security-team-encryption-key.asc
security at dasharo dot com

This key is signed by the [3mdeb Master Key][master-key].

When reporting a sensitive vulnerability not yet publicly known, You agree not
to disclose such details publicly or to any third party other than a relevant
CSIRT or ENISA until 3mdeb has had a reasonable period (typically expected to
be up to 90 days, consistent with industry practices) to investigate,
remediate, and coordinate disclosure. This allows for responsible handling of
security issues while acknowledging that the general development process for
non-critical aspects is public.

[sec-key]: https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/refs/heads/master/keys/security-team/dasharo-security-team-encryption-key.asc
[master-key]: https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/refs/heads/master/keys/master-key/3mdeb-master-key.asc
Loading