You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please include as much details as needed to clearly qualify the issue:
23
23
24
24
- A description of the vulnerability and its potential impact.
25
25
- Steps to reproduce the vulnerability.
26
-
- The version of `xxxx` package where the vulnerability exists.
26
+
- The version of the `formal-ledger-specifications` package where the vulnerability exists.
27
27
- Any relevant proof-of-concept or exploit code (if applicable).
28
28
29
29
### Processing Vulnerability
30
30
31
31
1.**Acknowledgment**: The team acknowledges the receipt of your report
32
32
within 3 business days by commenting on the issue reporting it or replying to email.
33
33
34
-
2.**Validation**: The team investigates the issue and either _reject_ or _validate_ the
34
+
2.**Validation**: The team investigates the issue and either _rejects_ or _validates_ the
35
35
reported vulnerability.
36
36
37
37
a. **Rejection**: If the team rejects the report, detailed explanations will be provided by email or commenting on the relevant issue and the latter will be made public and closed as `Won't fix`.
38
38
39
-
b. **Acceptance**: If the team accepts the report, a CVE identifier will be requested through GitHub and a [private fork](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability) opened to work on a fix to the issue
39
+
b. **Acceptance**: If the team accepts the report, a CVE identifier will be requested through GitHub and a [private fork](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability)will be opened to work on a fix to the issue.
40
40
41
41
3.**Resolution**: The team works to resolve the vulnerability in a
42
42
timely manner. The timeline for resolution will depend on the
@@ -50,15 +50,15 @@ Please include as much details as needed to clearly qualify the issue:
50
50
51
51
5.**Fixing Issue**: The team agrees on the fix, the announcement, and the release schedule with the reporter. If the reporter is not responsive in a reasonable time frame this should not block the team from moving to the next steps particularly in the face of a high impact or high severity issue.
52
52
53
-
a. **Mitigation**: Depending on the severity and criticity of the issue, the team can decide to disclose the issue publicly in the absence of a fix _if and only if_ a clear, simple, and effective mitigation plan is defined. This _must_ include instructions for users and operators of the software, and a time horizon at which the issue will be properly fixed (eg. version number).
53
+
a. **Mitigation**: Depending on the severity and criticality of the issue, the team can decide to disclose the issue publicly in the absence of a fix _if and only if_ a clear, simple, and effective mitigation plan is defined. This _must_ include instructions for users and operators of the software, and a time horizon at which the issue will be properly fixed (eg. version number).
54
54
55
55
b. **Fix**: When a fix is available and approved, it should be merged and made available as quickly as possible:
56
56
57
-
- All commits to the private repository are squashed into a single commit whose description _should not_ make any reference it relates to a security vulnerability
57
+
- All commits to the private repository are squashed into a single commit whose description _should not_ make any reference that it relates to a security vulnerability
58
58
- A new Pull Request is created with this single commit
59
-
- This PR's review and merging is expedited as all the work as already been done
59
+
- This PR's review and merging is expedited as all the work has already been done
60
60
61
-
6.**Release**: The team creates and publish a release that includes the fix
61
+
6.**Release**: The team creates and publishes a release that includes the fix.
62
62
63
63
7.**Announcement**: Concomitant to the release announcement, the team announces the security vulnerability by making the GitHub issue public. This is the first point that any information regarding the vulnerability is made public.
64
64
@@ -89,18 +89,17 @@ report security vulnerabilities to us.
89
89
90
90
## Contact Information
91
91
92
-
To report a security vulnerability, please use [GitHub
93
-
form]((add project github form for your project)). Should you experience any issues reporting via GitHub or have other questions, Please contact [Security](security@intersectmbo.org).
92
+
To report a security vulnerability, please use the [GitHub security advisory form](https://github.com/IntersectMBO/formal-ledger-specifications/security/advisories/new). Should you experience any issues reporting via GitHub or have other questions, please contact [security@intersectmbo.org](mailto:security@intersectmbo.org).
94
93
95
94
## Revision of Policy
96
95
97
96
This Security Vulnerability Disclosure Policy may be updated or
98
97
revised as necessary. Please check the latest version of this policy
99
-
on the [xxxx repository]((add link for your project)).
98
+
on the [formal-ledger-specifications repository](https://github.com/IntersectMBO/formal-ledger-specifications).
100
99
101
100
## Conclusion
102
101
103
-
The xxxx project greatly appreciates the assistance of the security
102
+
The formal-ledger-specifications project greatly appreciates the assistance of the security
104
103
community in helping us maintain the security of our software while
105
104
upholding the highest standards of privacy. Together, we can work to
106
105
identify and address vulnerabilities, ensuring a safer and more secure
0 commit comments