From 72a2fece3a8b38c7a8aae6ba86e5bfda08a2a154 Mon Sep 17 00:00:00 2001 From: Jason Matthews Date: Thu, 9 Dec 2021 08:59:22 -0600 Subject: [PATCH] Create SECURITY.md --- SECURITY.md | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..66798edb --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,53 @@ +# Security Policy + +The following security policy covers the QuickBox CE (Community Edition) as +seen here within this GitHub repository. For reporting any suspected vulnerabilities +within QuickBox Pro, please create a private listing within our QuickBox Labs ([here](https://lab.quickbox.io/QuickBox/Pro/-/issues)). + +## Supported Versions + +The QuickBox Community Edition is under limited development and support. +Meaning, it is a community aimed project. As such, any future developments are +on hold as we focus on our QuickBox Pro project. We do however take reports +of security issues seriously and will work to have these patched upstream +in a timely manner. As such, any security reports and subsequent patches are +posted upstream on a rolling commit basis covering latest versions as they are +released within our master branch. + +--- + +## Reporting a Vulnerability + +Security is of the highest importance and all security vulnerabilities or suspected +security vulnerabilities should be reported to QuickBox.IO privately, to minimize attacks +against current users of QuickBox before they are fixed. Vulnerabilities will be +investigated and patched on the next patch (or minor) release as soon as possible. +This information could be kept entirely internal to the project. + +If you know of a publicly disclosed security vulnerability for QuickBox CE, +please IMMEDIATELY contact sec@quickbox.io to inform the QuickBox.IO Team. + +*IMPORTANT: Do not file public issues on GitHub for security vulnerabilities* + +Please report (suspected) security vulnerabilities to sec@quickbox.io. +You will receive a response from us within 48 hours. If the issue is confirmed, +we will release a patch as soon as possible depending on complexity but +historically within a few days. + +--- + +## Proposed Email Content + +Provide a descriptive subject line and in the body of the email include the following information: + +* Basic identity information, such as your name and your affiliation or company. +* Detailed steps to reproduce the vulnerability. +* Description of the effects of the vulnerability on QuickBox and the related hardware and software configurations, so that the QuickBox Team can reproduce it. +* How the vulnerability affects QuickBox usage and an estimation of the attack surface, if there is one. +* List other projects or dependencies that were used in conjunction with QuickBox to produce the vulnerability. + +--- + +## Preferred Languages + +We prefer all communications to be in English.