From 4174e2b15caa58dd085e4934dcf062bb17e46533 Mon Sep 17 00:00:00 2001 From: Xander Grzywinski Date: Thu, 9 May 2024 13:07:38 -0700 Subject: [PATCH 1/2] docs: add security policy to repo root Signed-off-by: Xander Grzywinski --- SECURITY.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..847cb9f953 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Reporting Security Issues + +To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/defenseunicorns/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +### When Should I Report a Vulnerability? + +* You found a vulnerability in the Zarf code. +* You found a vulnerability in one of the Zarf dependencies that affects the project that has not been patched yet. + +### When Should I NOT Report a Vulnerability? + +* You found a bug or malfunction in the Zarf code (not security related). +* You want to add a feature to Zarf. + +## Contacting Us + +To discuss security related issues, please email the maintainers at zarf-dev-private@googlegroups.com. \ No newline at end of file From 223a116008223bb4d535826313915bb67d1b8354 Mon Sep 17 00:00:00 2001 From: Xander Grzywinski Date: Thu, 9 May 2024 13:30:08 -0700 Subject: [PATCH 2/2] docs: move security changes to existing file Signed-off-by: Xander Grzywinski --- .github/SECURITY.md | 18 +++++++++++++++--- SECURITY.md | 17 ----------------- 2 files changed, 15 insertions(+), 20 deletions(-) delete mode 100644 SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md index ff723278fe..6fd559327f 100644 --- a/.github/SECURITY.md +++ b/.github/SECURITY.md @@ -1,9 +1,21 @@ -# Security Policy +# Reporting Security Issues + +To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/defenseunicorns/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +### When Should I Report a Vulnerability? + +* You found a vulnerability in the Zarf code. +* You found a vulnerability in one of the Zarf dependencies that affects the project that has not been patched yet. + +### When Should I NOT Report a Vulnerability? + +* You found a bug or malfunction in the Zarf code (not security related). +* You want to add a feature to Zarf. ## Supported Versions As Zarf has not yet reached v1.0.0, only the current latest minor release is supported. -## Reporting a Vulnerability +## Contacting Us -Please email `security-notice [at] defenseunicorns.com` to report a vulnerability. If you are unable to disclose details via email, please let us know and we can coordinate alternate communications. +To discuss security related issues, please email the maintainers at zarf-dev-private@googlegroups.com. diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index 847cb9f953..0000000000 --- a/SECURITY.md +++ /dev/null @@ -1,17 +0,0 @@ -# Reporting Security Issues - -To report a security issue or vulnerability in Zarf, please use the confidential GitHub Security Advisory ["Report a Vulnerability"](https://github.com/defenseunicorns/zarf/security/advisories) tab. The Zarf team will send a response indicating the next steps in handling your report. After the initial reply to your report, the team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. - -### When Should I Report a Vulnerability? - -* You found a vulnerability in the Zarf code. -* You found a vulnerability in one of the Zarf dependencies that affects the project that has not been patched yet. - -### When Should I NOT Report a Vulnerability? - -* You found a bug or malfunction in the Zarf code (not security related). -* You want to add a feature to Zarf. - -## Contacting Us - -To discuss security related issues, please email the maintainers at zarf-dev-private@googlegroups.com. \ No newline at end of file