Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ff05c09
commit 72a2fec
Showing
1 changed file
with
53 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
# Security Policy | ||
|
||
The following security policy covers the QuickBox CE (Community Edition) as | ||
seen here within this GitHub repository. For reporting any suspected vulnerabilities | ||
within QuickBox Pro, please create a private listing within our QuickBox Labs ([here](https://lab.quickbox.io/QuickBox/Pro/-/issues)). | ||
|
||
## Supported Versions | ||
|
||
The QuickBox Community Edition is under limited development and support. | ||
Meaning, it is a community aimed project. As such, any future developments are | ||
on hold as we focus on our QuickBox Pro project. We do however take reports | ||
of security issues seriously and will work to have these patched upstream | ||
in a timely manner. As such, any security reports and subsequent patches are | ||
posted upstream on a rolling commit basis covering latest versions as they are | ||
released within our master branch. | ||
|
||
--- | ||
|
||
## Reporting a Vulnerability | ||
|
||
Security is of the highest importance and all security vulnerabilities or suspected | ||
security vulnerabilities should be reported to QuickBox.IO privately, to minimize attacks | ||
against current users of QuickBox before they are fixed. Vulnerabilities will be | ||
investigated and patched on the next patch (or minor) release as soon as possible. | ||
This information could be kept entirely internal to the project. | ||
|
||
If you know of a publicly disclosed security vulnerability for QuickBox CE, | ||
please IMMEDIATELY contact sec@quickbox.io to inform the QuickBox.IO Team. | ||
|
||
*IMPORTANT: Do not file public issues on GitHub for security vulnerabilities* | ||
|
||
Please report (suspected) security vulnerabilities to sec@quickbox.io. | ||
You will receive a response from us within 48 hours. If the issue is confirmed, | ||
we will release a patch as soon as possible depending on complexity but | ||
historically within a few days. | ||
|
||
--- | ||
|
||
## Proposed Email Content | ||
|
||
Provide a descriptive subject line and in the body of the email include the following information: | ||
|
||
* Basic identity information, such as your name and your affiliation or company. | ||
* Detailed steps to reproduce the vulnerability. | ||
* Description of the effects of the vulnerability on QuickBox and the related hardware and software configurations, so that the QuickBox Team can reproduce it. | ||
* How the vulnerability affects QuickBox usage and an estimation of the attack surface, if there is one. | ||
* List other projects or dependencies that were used in conjunction with QuickBox to produce the vulnerability. | ||
|
||
--- | ||
|
||
## Preferred Languages | ||
|
||
We prefer all communications to be in English. |