mirror of
https://github.com/processone/ejabberd.git
synced 2024-12-24 17:29:28 +01:00
Add security policy and reporting guidelines
This commit is contained in:
parent
26e8679359
commit
2eb605873c
@ -87,6 +87,11 @@ or some other method from [ProcessOne Contact][p1contact].
|
||||
For commercial offering and support, including [ejabberd Business Edition][p1home]
|
||||
and [Fluux (ejabberd in the Cloud)][fluux], please check [ProcessOne ejabberd page][p1home].
|
||||
|
||||
Security
|
||||
--------
|
||||
|
||||
For information on how to report security vulnerabilities, please refer to the [SECURITY.md](SECURITY.md) file. It contains guidelines on how to report vulnerabilities privately and securely, ensuring that any issues are addressed in a timely and confidential manner.
|
||||
|
||||
Community
|
||||
---------
|
||||
|
||||
|
45
SECURITY.md
Normal file
45
SECURITY.md
Normal file
@ -0,0 +1,45 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
We recommend that all users always use the latest version of ejabberd.
|
||||
|
||||
To ensure the best experience and security, upgrade to the latest version available on [this repo](https://github.com/processone/ejabberd).
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
### Private Reporting
|
||||
|
||||
**Preferred Method**: Use GitHub's private vulnerability reporting system by clicking the "Report a Vulnerability" button in the [Security tab of this repository](https://github.com/processone/ejabberd/security). This ensures your report is securely transmitted and tracked.
|
||||
|
||||
**Alternative**: If you cannot use the GitHub system, send an email to **`contact@process-one.net`** with the following details:
|
||||
|
||||
- A clear description of the vulnerability.
|
||||
- Steps to reproduce the issue.
|
||||
- Any potential impact or exploitation scenarios.
|
||||
|
||||
### Response Time
|
||||
|
||||
We aim to acknowledge receipt of your report within 72 hours. You can expect regular updates on the status of your report.
|
||||
|
||||
### Resolution
|
||||
|
||||
If the vulnerability is confirmed, we will work on a patch or mitigation strategy.
|
||||
We will notify you once the issue is resolved and coordinate a public disclosure if needed.
|
||||
|
||||
### Acknowledgements
|
||||
|
||||
We value and appreciate the contributions of security researchers and community members.
|
||||
If you wish, we are happy to acknowledge your efforts publicly by listing your name (or alias) below in this document.
|
||||
Please let us know if you would like to be recognized when reporting the vulnerability.
|
||||
|
||||
## Public Discussion
|
||||
|
||||
For general inquiries or discussions about the project’s security, feel free to chat with us here:
|
||||
|
||||
- XMPP room: `ejabberd@conference.process-one.net`
|
||||
- [GitHub Discussions](https://github.com/processone/ejabberd/discussions)
|
||||
|
||||
However, please note that if the issue is **critical** or potentially exploitable, **do not share it publicly**. Instead, we strongly recommend you contact the maintainers directly via the private reporting methods outlined above to ensure a secure and timely response.
|
||||
|
||||
Thank you for helping us improve the security of ejabberd!
|
Loading…
Reference in New Issue
Block a user