docs(security): document our security policies

Albeit WIP, but we're ironing things out behind the scenes. Signed-off-by: Andrei Jiroh Halili <[email protected]>
recaptime-dev · May 20, 2023 · 20f743e · 20f743e
1 parent d5a62e1
commit 20f743e
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,7 @@
+# Security Policy
+
+> **Note**: This policy is currently a work in progress as we're ironing out our global security policy soon.
+
+## Reporting a Vulnerability
+
+We use GiHub's [private vulnerability reporting feature](https://github.com/RecapTime/squad-bots/security/advisories/new) and our [security issue tracker on GitLab](https://mau.dev/RecapTime/security/issue-tracker/-/issues/new?issue[confidential]=true&issue[description]=%23%23%20CVE%20ID%0A%0A%3C%21--%20Please%20leave%20this%20blank%20to%20request%20a%20CVE%20ID%20later%20on%20your%20behalf.%20If%20you%20have%20one%2C%20note%20it%20here%20below%20this%20HTML%20comment.%20--%3E%0A%0A%23%23%20Description%0A%0A%23%23%23%20Summary%0A_Short%20summary%20of%20the%20problem.%20Make%20the%20impact%20and%20severity%20as%20clear%20as%20possible.%20For%20example%3A%20An%20unsafe%20deserialization%20vulnerability%20allows%20any%20unauthenticated%20user%20to%20execute%20arbitrary%20code%20on%20the%20server._%0A%0A%23%23%23%20Details%0A_Give%20all%20details%20on%20the%20vulnerability.%20Pointing%20to%20the%20incriminated%20source%20code%20is%20very%20helpful%20for%20the%20maintainer._%0A%0A%23%23%23%20PoC%0A_Complete%20instructions%2C%20including%20specific%20configuration%20details%2C%20to%20reproduce%20the%20vulnerability._%0A%0A%23%23%23%20Impact%0A_What%20kind%20of%20vulnerability%20is%20it%3F%20Who%20is%20impacted%3F_%0A%0A%23%23%20Affected%20products%2Fpackages%0A%0A%2A%20package-ecosystem%2Fpackage-name%40%3Caffected-version-range%3E%20%28fixed%20in%20%3Cfixed-in-version%20OR%20TBD%3E%0A%0A%23%23%20Severity%0A%0A_Use%20the%20CVSS%20calculator%20for%20calculate%20severity%20based%20on%20vector%20string._%0A%0A%23%23%20CWEs%0A%0A_List%20any%20weaknesses%20in%20CWE%20format._) to accept and review security reports relating to this project. You can also email `[email protected]` with the subject prefix `[SECURITY:squad-bots]`, perferrably with [our PGP key](https://static.rtdevcdn.net.eu.org/keys/email.gpg.asc) or [contact our team via Keybase](https://keybase.io/reaptimesquad).