Skip to content

Latest commit

 

History

History
43 lines (26 loc) · 1.86 KB

SECURITY.md

File metadata and controls

43 lines (26 loc) · 1.86 KB

🔒 Reporting vulnerabilities

We take all security bugs seriously. Thank you for improving the security of this code! We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.

✉️ How to report

Module vulnerabilities

Please send a procedure to reproduce iTop vulnerabilities to itop-security@combodo.com.

You can send us a standard "given / when / then" report, including iTop version, impacts, and maybe installed modules or data if they are needed to reproduce.

Dependencies vulnerabilities

Report security bugs in third-party modules to the person or team maintaining the module, and notify us of this report by sending an email to itop-security@combodo.com.

🔍 Combodo acknowledgment and investigation

Report sent to us will be acknowledged within the week.

Then, a Combodo developer will be assigned to the reported issue and will:

  • confirm the problem and determine the affected iTop versions
  • audit the code to search any potential similar problems
  • try to find a workaround if any
  • create fixes for all releases still under maintenance
  • send you the commit(s) for review
  • send you the next version(s) that will contain the fix, and the estimated release dates

Security issues always take precedence over bug fixes and feature work.

The assignee will keep you informed of the resolution progress, and may ask you for additional information or guidance.

📆 Disclosure Policy

Once the fix is done and acknowledged by every stakeholder, it will be included in the next module version.

The release communications will include the information of the vulnerability fix.

Corresponding GitHub advisories and CVE will be published 3 months after the extension version release date so that iTop instances can be updated.