From 3ee50699a91218bd6f9d96f9b5e29a9a77f66e77 Mon Sep 17 00:00:00 2001 From: "Thu A. Tran" Date: Tue, 27 Feb 2024 15:56:17 -0500 Subject: [PATCH] #86 re-add SECURITY.md file --- SECURITY.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..f16eaf924 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,31 @@ +# Security Policy + +## Reporting a Vulnerability +Please use the CVE Program web forms to report security vulnerabilities for the +CVE website. Please include vulnerability details, steps to reproduce (e.g., proof-of-concept code, +screenshots) and an assessment of the impact in your report. We appreciate concise and high-quality reports. + +## Web Form Submissions + +* In the “Select a request type” drop down menu, please select “Other” +* Enter your email address in the space provided +* You may enter a PGP key if you prefer to encrypt your correspondence +* In the “Type of comment” drop down menu, please select “Issue” +* In the textbox labeled “Please provide your question, issue, comment, etc.” please start the message with the following information: + - First Line: “CVE Website Security Anomaly Report” + - Second Line: “Distribution: CVE Website Development Team” + - Third Line: "Description: [Free Text description of the anomaly]” +* Enter the Security code +* Click “Submit Request” + +## Scope + +The CVE website and CVE Website repository on +GitHub are in scope for reporting vulnerabilities. + +## Fixes +We will release fixes for verified security vulnerabilities. We expect to publish vulnerabilities using GitHub +security advisories. + +## Coordination +We appreciate the opportunity to investigate and develop fixes before public disclosure, following coordinated vulnerability disclosure practices. \ No newline at end of file