Skip to content

Security: testsigmahq/testsigma

Security

SECURITY.md

Reporting Vulnerabilities

We extend our sincere gratitude to anyone who reports vulnerabilities to Testsigma Community. These reports are comprehensively investigated by community volunteers as well as Testsigma Team.

To report a security issue, please email us at [email protected] with a detailed overview and necessary information attached. For more details, visit the Vulnerability Disclosure Program. We urge you to report any vulnerabilities responsibly so that we can continue building a secure application for the entire community.

When Should I Report a Vulnerability?

  • You think you have discovered a potential security vulnerability in the Testsigma or related components.
  • You are unsure how a vulnerability affects the Testsigma project.
  • You think you discovered a vulnerability in another project that Testsigma depends on (e.g. MySQL, Docker, NGINX, etc). -You want to report any other security risk that could potentially harm Testsigma users.

When Should I NOT Report a Vulnerability?

  • You need help tuning Testsigma components for security.
  • You need help applying security-related updates.
  • Your issue is not security-related.

Security Vulnerability Response

Each report is acknowledged and analyzed by the project's maintainers and the security team within 3 working days. The reporter will be kept updated at every stage of the issue's analysis and resolution (triage -> fix -> release).

Public Disclosure Timing

A public disclosure date is negotiated by the Testsigma product security team and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. We expect the time-frame between a report to a public disclosure to typically be in the order of 7 days. The Testsigma maintainers and the security team will take the final call on setting a disclosure date.

(Some sections have been inspired and adapted from https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md).

There aren’t any published security advisories