Create SECURITY.md #886
Create SECURITY.md #886
Conversation
I am not responsible of the disclosure department. Could you choose the condition (avoiding to attack the infra or not?, how to reward if reward?, etc...).
|
We require contributors to sign our Contributor License Agreement (CLA), and we don't have yours on file. In order for us to review and merge your code, please sign CLA to get yourself added. Sourcegraph teammates: |
|
Thanks for the suggestion @gogo2464, I'm asking around internally for some guidance on this. |
| # Security Policy | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| Any impacted version are intersting to know and to report vulnerabilities. | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| In case you found a vulnerability in source graph, you could report a private vulnerability disclosure to [email protected]. |
There was a problem hiding this comment.
This what our policy typically would look like:
| # Security Policy | |
| ## Supported Versions | |
| Any impacted version are intersting to know and to report vulnerabilities. | |
| ## Reporting a Vulnerability | |
| In case you found a vulnerability in source graph, you could report a private vulnerability disclosure to [email protected]. | |
| # Security Policy | |
| Our security policy is documented at https://sourcegraph.com/security. |
There was a problem hiding this comment.
I can provide the link. I want to ensure that, in practice, a cyber security researcher could send a private email to someone in the team to fix the vulnerability.
There was a problem hiding this comment.
If you follow the link, there's a bug bounty instruction that asks for emailing to [email protected].
|
Thank you for helping us out here. If you address these changes I am happy to merge! |
|
The point is if somebody finds a software vulnerability, he could report to a private person. |
I am not responsible of the disclosure department. Could you choose the condition (avoiding to attack the infra or not?, how to reward if reward?, etc...).