|
2 | 2 |
|
3 | 3 | ## Supported Versions |
4 | 4 |
|
5 | | -We support the latest version only. |
| 5 | +The latest version is currently supported and receives security updates. |
| 6 | + |
6 | 7 |
|
7 | 8 | ## Reporting a Vulnerability |
8 | 9 |
|
9 | | -Please report any vulnerabilities you find to info[at]linuxfabrik[dot]ch. |
10 | | -We will respond and assess the risk as soon as possible (usually within a few working days) |
11 | | -and provide a fix and a new release. |
| 10 | +We're extremely grateful for security researchers and users that report |
| 11 | +vulnerabilities to us. All reports are thoroughly investigated by our team. |
| 12 | + |
| 13 | +Vulnerabilities are reported privately via GitHub's |
| 14 | +[Security Advisories](https://docs.github.com/en/code-security/security-advisories) |
| 15 | +feature. Please use the following link to submit your vulnerability: |
| 16 | +[Report a vulnerability](https://github.com/Linuxfabrik/monitoring-plugins/security/advisories/new) |
| 17 | + |
| 18 | +Please see |
| 19 | +[Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability) |
| 20 | +for more information on how to submit a vulnerability using GitHub's interface. |
| 21 | + |
| 22 | + |
| 23 | +### When Should I Report a Vulnerability? |
| 24 | + |
| 25 | +- You think you discovered a potential security vulnerability |
| 26 | +- You are unsure how a vulnerability affects your system |
| 27 | +- You think you discovered a vulnerability in another project that this project depends on |
| 28 | + - For projects with their own vulnerability reporting and disclosure process, please report it directly there |
| 29 | + |
| 30 | +### When Should I NOT Report a Vulnerability? |
| 31 | + |
| 32 | +- You need help tuning your System for security |
| 33 | +- You need help applying security related updates |
| 34 | +- Your issue is not security related |
| 35 | + |
| 36 | + |
| 37 | +### Vulnerability Response |
| 38 | + |
| 39 | +Each report is acknowledged and analyzed within 30 days. |
| 40 | + |
| 41 | +Any vulnerability information stays within this project and will not be disseminated to other projects |
| 42 | +unless it is necessary to get the issue fixed. |
| 43 | + |
| 44 | +As the security issue moves from triage, to identified fix, to release planning |
| 45 | +we will keep the reporter updated. |
| 46 | + |
| 47 | + |
| 48 | +## Security Release & Disclosure Process |
| 49 | + |
| 50 | +Security vulnerabilities should be handled quickly and sometimes privately. The |
| 51 | +primary goal of this process is to reduce the total time users are vulnerable |
| 52 | +to publicly known exploits. |
| 53 | + |
| 54 | + |
| 55 | +### Private Disclosure |
| 56 | + |
| 57 | +We ask that all suspected vulnerabilities be privately and responsibly |
| 58 | +disclosed via the [private disclosure process](#reporting-a-vulnerability) |
| 59 | +outlined above. |
| 60 | + |
| 61 | +Fixes may be developed and tested by our team in a |
| 62 | +[temporary private fork](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability) |
| 63 | +that are private from the general public if deemed necessary. |
| 64 | + |
| 65 | + |
| 66 | +### Public Disclosure |
| 67 | + |
| 68 | +Vulnerabilities are disclosed publicly as GitHub [Security |
| 69 | +Advisories](https://github.com/Linuxfabrik/monitoring-plugins/security/advisories). |
| 70 | + |
| 71 | +A public disclosure date is negotiated by our team |
| 72 | +and the bug submitter. We prefer to fully disclose the bug as soon as possible |
| 73 | +once a user mitigation is available. It is reasonable to delay disclosure when |
| 74 | +the bug or the fix is not yet fully understood, the solution is not |
| 75 | +well-tested, or for vendor coordination. The timeframe for disclosure is from |
| 76 | +immediate (especially if it's already publicly known) to several weeks. For a |
| 77 | +vulnerability with a straightforward mitigation, we expect report date to |
| 78 | +disclosure date to be on the order of 30 days. |
| 79 | + |
| 80 | +If you know of a publicly disclosed security vulnerability please IMMEDIATELY |
| 81 | +[report the vulnerability](#reporting-a-vulnerability) to inform the team about the vulnerability so they may start the |
| 82 | +patch, release, and communication process. |
| 83 | + |
| 84 | +If possible the team will ask the person making the public report if |
| 85 | +the issue can be handled via a private disclosure process. If the reporter |
| 86 | +denies the request, the team will move swiftly with the fix and |
| 87 | +release process. In extreme cases you can ask GitHub to delete the issue but |
| 88 | +this generally isn't necessary and is unlikely to make a public disclosure less |
| 89 | +damaging. |
| 90 | + |
| 91 | +### Security Releases |
| 92 | + |
| 93 | +Once a fix is available it will be released and announced via the project on |
| 94 | +GitHub. |
| 95 | +Security releases will announced and clearly marked as a security release and |
| 96 | +include information on which vulnerabilities were fixed. As much as possible |
| 97 | +this announcement should be actionable, and include any mitigating steps users |
| 98 | +can take prior to upgrading to a fixed version. |
| 99 | + |
| 100 | +Fixes will be applied in new releases and all fixed vulnerabilities will be noted in |
| 101 | +the [CHANGELOG](./CHANGELOG.md). |
0 commit comments