From 7afd63f5e52e3ca77837bb452bbe1e34fa69ee5f Mon Sep 17 00:00:00 2001 From: Theofanis Petkos Date: Tue, 3 Sep 2024 17:12:14 +0100 Subject: [PATCH] Add security.md (#1627) * Add security.md Signed-off-by: thepetk * Update content of security.md Signed-off-by: thepetk * Update email address Signed-off-by: thepetk * Update SECURITY.md Co-authored-by: Jordan Dubrick Signed-off-by: thepetk * Update SECURITY.md Co-authored-by: Jordan Dubrick Signed-off-by: thepetk * Update SECURITY.md Co-authored-by: Jordan Dubrick Signed-off-by: thepetk * Update SECURITY.md Co-authored-by: Michael Valdron Signed-off-by: thepetk --------- Signed-off-by: thepetk Co-authored-by: Jordan Dubrick Co-authored-by: Michael Valdron --- SECURITY.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..3e67827c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Reporting of Security Issues + +The devfiles team takes immediate action to address security-related issues involving devfile projects. + +Note, that normally we try to fix issues found for the latest releases of our projects. Backport fixes will be made only for exceptional cases, if the team has identified the need to do so. + +## Reporting Process + +When a security vulnerability is found, it is important to not accidentally broadcast publicly that the issue exists to avoid potential exploits. The preferred way of reporting security issues in Devfiles is listed below. + +## Contact Us + +An email to team-devfile-security@redhat.com is the preferred mechanism for outside users to report security issues. A member of the devfile team will open the required issues and keep you up-to-date about the status of the issue. + +## What To Avoid + +Do not open a public issue, send a pull request, or disclose any information about the suspected vulnerability publicly, **including in your own publicly visible git repository**.