-
Notifications
You must be signed in to change notification settings - Fork 238
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs(security): use GitHub security advisories
- Loading branch information
1 parent
f0fd9e1
commit 3b8cebf
Showing
1 changed file
with
25 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,18 +4,19 @@ We take security seriously. Responsible reporting and disclosure of security | |
vulnerabilities is important for the protection and privacy of our users. If you | ||
discover any security vulnerabilities, please follow these guidelines. | ||
|
||
To report a vulnerability, we recommend submitting a report to Snyk using their | ||
[vulnerability disclosure form](https://snyk.io/vulnerability-disclosure/). | ||
Snyk's security team will validate the vulnerability and coordinate with you and | ||
us to fix it, release a patch, and responsibly disclose the vulnerability. Read | ||
Snyk's | ||
[Vulnerability Disclosure Policy](https://docs.snyk.io/more-info/disclosing-vulnerabilities/disclose-a-vulnerability-in-an-open-source-package) | ||
for details. | ||
|
||
We also request that you send an email to | ||
[[email protected]](mailto:[email protected]) detailing the vulnerability. | ||
This ensures that we can begin work on a fix as soon as possible without waiting | ||
for Snyk to contact us. | ||
Published security advisories are available on our [GitHub Security Advisories] | ||
page. | ||
|
||
To report a vulnerability, please draft a [new security advisory on GitHub]. Any | ||
fields that you are unsure of or don't understand can be left at their default | ||
values. The important part is that the vulnerability is reported. Once the | ||
security advisory draft has been created, we will validate the vulnerability and | ||
coordinate with you to fix it, release a patch, and responsibly disclose the | ||
vulnerability to the public. Read GitHub's documentation on [privately reporting | ||
a security vulnerability] for details. | ||
|
||
If you are unable to draft a security advisory, or if you need help or have | ||
security related questions, please send an email to [[email protected]]. | ||
|
||
Please do not report undisclosed vulnerabilities on public sites or forums, | ||
including GitHub issues and pull requests. Reporting vulnerabilities to the | ||
|
@@ -27,10 +28,18 @@ public, at which time you will be free to publish details of the vulnerability | |
on public sites and forums. | ||
|
||
If you have a fix for a security vulnerability, please do not submit a GitHub | ||
pull request. Instead, report the vulnerability as described in this policy and | ||
include a potential fix in the report. Once the vulnerability has been verified | ||
and a disclosure timeline has been decided, we will contact you to see if you | ||
would like to submit a pull request. | ||
pull request. Instead, report the vulnerability as described in this policy. | ||
Once we have verified the vulnerability, we can create a [temporary private | ||
fork] to collaborate on a patch. | ||
|
||
We appreciate your cooperation in helping keep our users safe by following this | ||
policy. | ||
|
||
[github security advisories]: https://github.com/json5/json5/security/advisories | ||
[new security advisory on github]: | ||
https://github.com/json5/json5/security/advisories/new | ||
[privately reporting a security vulnerability]: | ||
https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability | ||
[[email protected]]: mailto:[email protected] | ||
[temporary private fork]: | ||
https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability |