Security document update #8233
Security document update #8233
Conversation
kuljotbiring
force-pushed
the
security-document-update
branch
from
b8409e9
to
2ba4609
Compare
…mer to SECURITY.md document Signed-off-by: Kuljot Biring <ksbiring1@gmail.com>
…ext, bold text for bottom of disclaimer Signed-off-byL Kuljot Biring <ksbiring1@gmail.com>
kuljotbiring
force-pushed
the
security-document-update
branch
from
2ba4609
to
4231261
Compare
|
To address the DCO requirement you'll need to sign-off the commit(s): |
|
I agree with developercertificate.org. |
| @@ -1,3 +1,4 @@ | |||
|
|
|||
There was a problem hiding this comment.
This white space change is unnecessary
|
|
||
| ## Reporting a Bug | ||
|
|
||
| Please report any bugs via our issue [Bug Issue Tracker](https://github.com/zaproxy/zaproxy/issues/new/choose) |
|
|
||
| ## Security Advisories | ||
|
|
||
| Currently, there are not any published security advisories. |
There was a problem hiding this comment.
I’m don’t think this is true/accurate, I’d have to go digging. Pretty sure we have/had at least one.
There was a problem hiding this comment.
We have had some security bugs reported which we've fixed, but we have not published ny security advisories.
Maybe we should...
There was a problem hiding this comment.
I thought one or two had assigned CVEs (via the reporter not us), which I was lumping into the 'advisory' category.
|
|
||
| All rules are contained in add-ons so that they can be updated quickly and easily. | ||
|
|
||
| Active scanning is an attack on those targets. |
There was a problem hiding this comment.
What targets? The text was just talking about scan rules
| You should NOT use it on web applications that you do not own. | ||
|
|
||
| It should be noted that active scanning can only find certain types of vulnerabilities. | ||
| Logical vulnerabilities, such as broken access control, will not be found by any active or automated vulnerability scanning. |
There was a problem hiding this comment.
This isn’t really true, you can use the Access Control add-on to scan for those. It would be more realistic to say something about business logic issues.
| All rules are contained in add-ons so that they can be updated quickly and easily. | ||
|
|
||
| Active scanning is an attack on those targets. | ||
| You should NOT use it on web applications that you do not own. |
There was a problem hiding this comment.
The note below is more accurate, you don’t have to own it to be authorized to asses something
|
|
||
| 2. Legality and Compliance: You alone are responsible for ensuring that your use of Zaproxy complies with all applicable laws, regulations, and ethical standards. Please follow the applicable legal requirements and industry best practices at all times. | ||
|
|
||
| 3. Privacy and Data Protection: When using Zaproxy, refrain from engaging in activities that compromise the privacy or security of data, PII and other sensitive data. |
There was a problem hiding this comment.
PII and sensitive data are data. This should be shortened
I agree. |
|
|
||
| By using Zaproxy, you agree to comply with the terms and conditions below. Terms and conditions may be subject to change or modification at any time. Users are responsible for reviewing the terms regularly to ensure compliance with the latest version. | ||
|
|
||
| 1. Authorized Usage: You may only use Zaproxy for the purpose of assessing the security of web applications for which you have explicit and authorized access, permission, or ownership. Unauthorized scanning is strictly prohibited and unlawful. |
There was a problem hiding this comment.
We never use Zaproxy in this context, so this should be ZAP.
https://www.zaproxy.org/docs/developer/dev-rules-and-guidelines/#style-guidelines
|
|
||
| 5. Use of this tool may cause disruption or unintended consequences to web applications and systems. The user is responsible for any damages or issues that may arise during or after the use of this tool. | ||
|
|
||
|
|
There was a problem hiding this comment.
Zaproxy would cannot be held responsible legally for any misuse of the product, not permitted by Zaproxy policy.
Added direct links to reporting a bug, scan policies, and terms of use in order to make the document more robust and accessible to users of the product. Added (lack of) security advisory. Document updated with intent and scope of product use with words of caution to users while using the application.