New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
incident-disclosure: add Incident Disclosure and Notification policy #12
Merged
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
--- | ||
title: Incident disclosure and notification policy | ||
slug: incident-disclosure | ||
policy: true | ||
faq: false | ||
weight: 13 | ||
--- | ||
|
||
This policy specifies when and how we notify users about security incidents. | ||
|
||
Both the client software and our managed backend infrastructure (i.e. coordination server) are in scope for this policy. | ||
|
||
For incidents that fall under any legal disclosure requirements (such as [California’s Data Security Breach Reporting](https://oag.ca.gov/privacy/databreach/reporting)), those requirements will take precedence over this policy. | ||
|
||
By “notify” here we mean explicitly contacting users in addition to regular release notes in the [changelog](https://tailscale.com/changelog/) and GitHub commit history. For example, you may read about minor vulnerability patches in release notes, but we may not notify users via a dedicated security bulletin. | ||
|
||
### When we notify users | ||
|
||
Generally, we aim to reduce noise and only notify users for actionable incidents. Tailscale does not notify users for routine security patching of dependencies. We also don’t notify users for vulnerabilities in our software, if we confirm the vulnerability was not exploited and no users were affected. | ||
|
||
We will **disclose** a security vulnerability **when a fix is available** and any of the following is true: | ||
|
||
* User action is needed to fix the vulnerability, e.g. updating the client software, or applying another mitigation; | ||
* We can confirm that tailnet metadata or data was visible to an unauthorized party; or | ||
* We cannot confirm that no users were affected by the vulnerability. | ||
|
||
We will **notify users directly** about a security vulnerability when we can confirm that the tailnet was affected, and any of the following is true: | ||
|
||
* User action is needed to fix the vulnerability, and it is a critical or high impact vulnerability; or | ||
* We can confirm that tailnet metadata or data was visible to an unauthorized party. | ||
|
||
### How we notify users | ||
|
||
To disclose security vulnerabilities, Tailscale publishes security bulletins publicly for a broad audience at [https://tailscale.com/security-bulletins/](https://tailscale.com/security-bulletins/). These can be consumed directly, via RSS readers or via social media bot accounts. | ||
|
||
To notify users about security vulnerabilities, Tailscale will **email** affected tailnets’ administrators, with information specific to the tailnet, including specific users or nodes which are affected. These emails will be sent to the [security contact](https://tailscale.com/kb/1224/contact-preferences/#setting-the-security-issues-email) for the tailnet, which by default is the Owner of the tailnet. | ||
|
||
Occasionally, Tailscale may decide to notify users in additional ways about a security issue, such as by publishing a [blog post](https://tailscale.com/blog/), or with in-product notifications by putting a warning banner in the admin console. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,7 +26,7 @@ All employees should watch for potentially suspicious activities, including: | |
* Modification or defacement of websites | ||
* New open network ports on a system | ||
|
||
Tailscale regularly reviews logs for detecting and tracking attempted intrusions and other suspicious activity. These include git, cloud, networking, SaaS tool, and other infrastructure logs. | ||
Tailscale regularly reviews logs for detecting and tracking attempted intrusions and other suspicious activity. These include git, cloud, networking, SaaS tool, and other infrastructure logs. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. usage nit (up to you): "...reviews logs to detect and track..." |
||
|
||
The Security Review Team: | ||
|
||
|
@@ -41,3 +41,7 @@ Tailscale’s Security Review Team reviews and responds to potential third-party | |
### Incident response and remediation | ||
|
||
If a suspected incident is detected, it should be responded to following the [Incident response process](http://go/incident-response-process). | ||
|
||
We respond to reported incidents, and resolve and determine impact as soon as possible. We aim to remediate incidents as soon as possible. | ||
|
||
Confirmed incidents may be disclosed publicly per our [disclosure policy](/security-policies/incident-disclosure/). |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To avoid ruling out other kinds of in-product notifications, suggestion:
... in-product notifications (such as by putting...).
Up to you though.