From: Peter Stöckli Date: Wed, 3 Aug 2022 15:49:08 +0000 (+0200) Subject: 19328: Add security policy X-Git-Tag: 2.5.0~104^2 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/f1e7c6e0018d276aae506b52ce18e7c31bf48479 19328: Add security policy Arvados-DCO-1.1-Signed-off-by: Peter Amstutz --- diff --git a/.licenseignore b/.licenseignore index 203c378bdc..6ddb5c009c 100644 --- a/.licenseignore +++ b/.licenseignore @@ -92,3 +92,4 @@ sdk/cwl/tests/wf/hello.txt sdk/cwl/tests/wf/indir1/hello2.txt sdk/cwl/tests/chipseq/data/Genomes/* CITATION.cff +SECURITY.md \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..4e16ed5f7d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,42 @@ +# Arvados Project Security Policy + +## Supported Versions + +The Arvados project will issue security fixes by making point releases +on the current stable release series (X.Y.0, X.Y.1, X.Y.2, etc). + +The most recent stable release version, along with release notes and +upgrade notes documenting security fixes, can be found at these +locations: + +https://arvados.org/releases/ + +https://doc.arvados.org/admin/upgrading.html + +The Arvados project does not support versions older than the current +stable release except by special arrangement (contact info@curii.com). + +Release announcements, including notification of security fixes, are +sent to the Arvados announcement list: + +https://lists.arvados.org//mailman/listinfo/arvados + +## Reporting Security Issues + +If you believe you have found a security vulnerability in any Arvados-owned repository, please report it to us through coordinated disclosure. + +**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** + +Instead, please send an email to dev@curii.com. + +Please include as much of the information listed below as you can to help us better understand and resolve the issue: + + * The type of issue (e.g., remote code execution, SQL injection, or cross-site scripting) + * Full paths of source file(s) related to the manifestation of the issue + * The location of the affected source code (tag/branch/commit or direct URL) + * Any special configuration required to reproduce the issue + * Step-by-step instructions to reproduce the issue + * Proof-of-concept or exploit code (if possible) + * Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your report more quickly.