From 42f0ba18754125f1b6c34cb522689c03f0177717 Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Tue, 26 Oct 2021 16:09:41 +0100 Subject: [PATCH] Added security policy md file --- .github/SECURITY.md | 32 ++++++++++++++++++++++++++++++++ readme.md | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 000000000..c2201a628 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,32 @@ +# Security Policy + +## Supported Versions + +Only the [latest version](https://github.com/BookStackApp/BookStack/releases) of BookStack is supported. +We generally don't support older versions of BookStack due to maintenance effort and +since we aim to provide a fairly stable upgrade path for new versions. + +## Security Notifications + +If you'd like to be notified of new potential security concerns you can [sign-up to the BookStack security mailing list](https://updates.bookstackapp.com/signup/bookstack-security-updates). + +## Reporting a Vulnerability + +If you've found an issue that likely has no impact to existing users (For example, in a development-only branch) +feel free to raise it via a standard GitHub bug report issue. + +If the issue could have a security impact to BookStack instances, please use one of the below +methods to report the vulnerability: + +- Directly contact the lead maintainer [@ssddanbrown](https://github.com/ssddanbrown). + - You will need to login to be able to see the email address on the [GitHub profile page](https://github.com/ssddanbrown). + - Alternatively you can send a DM via Twitter to [@ssddanbrown](https://twitter.com/ssddanbrown). +- [Disclose via huntr.dev](https://huntr.dev/bounties/disclose) + - Bounties may be available to you through this platform. + - Be sure to use `https://github.com/BookStackApp/BookStack` as the repository URL. + +Please be patient while the vulnerability is being reviewed. Deploying the fix to address the vulnerability +can often take a little time due to the amount of preparation required, to ensure the vulnerability has +been covered, and to create the content required to adequately notify the user-base. + +Thank you for keeping BookStack instances safe! \ No newline at end of file diff --git a/readme.md b/readme.md index 1ab54de6e..17ac9641b 100644 --- a/readme.md +++ b/readme.md @@ -157,7 +157,7 @@ Security information for administering a BookStack instance can be found on the If you'd like to be notified of new potential security concerns you can [sign-up to the BookStack security mailing list](https://updates.bookstackapp.com/signup/bookstack-security-updates). -If you would like to report a security concern in a more confidential manner than via a GitHub issue, You can directly email the lead maintainer [ssddanbrown](https://github.com/ssddanbrown). You will need to login to be able to see the email address on the [GitHub profile page](https://github.com/ssddanbrown). Alternatively you can send a DM via twitter to [@ssddanbrown](https://twitter.com/ssddanbrown). +If you would like to report a security concern, details of doing so can [can be found here](https://github.com/BookStackApp/BookStack/blob/master/.github/SECURITY.md). ## ♿ Accessibility