forked from cert-manager/aws-privateca-issuer
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update README to include information about deleting PCAs and Add SECU…
…RITY.MD (cert-manager#17) Co-authored-by: Akbar Baig <[email protected]>
- Loading branch information
Showing
2 changed files
with
43 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Vulnerability Reporting Process | ||
|
|
||
| Security is the number one priority for the AWS Private Certificate Authority (AWS PCA) external issuer for cert-manager. If you think you've found a | ||
| security vulnerability in the AWS PCA external issuer for | ||
| cert-manager, you're in the right place. | ||
|
|
||
| Our reporting procedure is a work-in-progress, and will evolve over time. We | ||
| welcome advice, feedback and pull requests for improving our security | ||
| reporting processes. | ||
|
|
||
| ## Covered Repositories and Issues | ||
|
|
||
| This reporting process is intended only for security issues in the AWS PCA external | ||
| issuer itself, and doesn't apply to applications _using_ the exteral issuer or to | ||
| issues which do not affect security. | ||
|
|
||
| Broadly speaking, if the issue cannot be fixed by a change to the AWS PCA external issuer | ||
| , then it might not be appropriate to use this reporting | ||
| mechanism and a GitHub issue in the appropriate repo. | ||
|
|
||
| All that said, **if you're unsure** please reach out using this process before | ||
| raising your issue through another channel. We'd rather err on the side of | ||
| caution! | ||
|
|
||
| ## Reporting Process | ||
|
|
||
| 1. Describe the issue in English, ideally with some example configuration or | ||
| code which allows the issue to be reproduced. Explain why you believe this | ||
| to be a security issue in AWS PCA external issuer, if that's not obvious. | ||
| 2. Put that information into an email. Use a descriptive title. | ||
| 3. Send the email to [`AWS Security and the Maintainers of this Plugin`](mailto:[email protected],[email protected],[email protected],[email protected]) | ||
|
|
||
| ## Response | ||
|
|
||
| Response times could be affected by weekends, holidays, breaks or time zone | ||
| differences. That said, the security response team will endeavour to reply as | ||
| soon as possible. | ||
|
|
||
| As soon as the team decides that the report is of a genuine vulnerability, | ||
| one of the team will respond to the reporter acknowledging the issue and | ||
| establishing a disclosure timeline, which should be as soon as possible. |