We appreciate your efforts in identifying and reporting security vulnerabilities in our project. To ensure responsible disclosure, please follow these guidelines:
Reporting a Vulnerability:
- Do Not Create a Public Issue: Avoid publicly disclosing the vulnerability until it has been addressed.
- Contact Us: Please report security vulnerabilities by emailing [your email address]. Provide detailed information about the vulnerability, including:
- Type of vulnerability: (e.g., cross-site scripting, SQL injection)
- Steps to reproduce: Clear and concise instructions to replicate the issue.
- Affected versions: Specify the versions of the project impacted by the vulnerability.
- Potential impact: Describe the potential consequences of exploiting the vulnerability.
- Confidentiality: We request that you keep the vulnerability confidential until we have had a chance to investigate and address it.
Our Commitment:
- Acknowledgement: We will acknowledge receipt of your vulnerability report within [number] business days.
- Investigation: We will thoroughly investigate the reported vulnerability and assess its severity.
- Resolution: We will work to remediate the vulnerability as quickly as possible.
- Disclosure: Once the vulnerability is fixed, we will publicly disclose it in a responsible manner, crediting you for your contribution (unless you prefer to remain anonymous).
Safe Harbor:
We consider security research and vulnerability reporting to be a valuable contribution to our project's security. When conducted in accordance with this policy, we will not take legal action against you for:
- Accessing our systems or data in a good faith effort to identify and report a security vulnerability.
- Inadvertently causing a temporary disruption to our services while conducting security research.
Scope:
This security policy applies to all projects and repositories under the [your organization/username] GitHub organization.
Thank you for helping us keep our project secure!