diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..e7cbac5 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 1.x.x | :white_check_mark: | +| < 1.0.0 | :x: | + +> [!IMPORTANT] +> Currently DetectMateService is a work in progress and heavily under development. Possible vulnerabilities will not be treated any special and can be issued using [GitHub-Issues](https://github.com/ait-detectmate/DetectMateService/issues) + +## Reporting a Vulnerability + +Please email reports about any security related issues you find to aecid@ait.ac.at. This mail is delivered to a small developer team. Your email will be acknowledged within one business day, and you'll receive a more detailed response to your email within 7 days indicating the next steps in handling your report. + +Please use a descriptive subject line for your report email. After the initial reply to your report, our team will endeavor to keep you informed of the progress being made towards a fix and announcement. + +In addition, please include the following information along with your report: + +* Your name and affiliation (if any). +* A description of the technical details of the vulnerabilities. It is very important to let us know how we can reproduce your findings. +* An explanation who can exploit this vulnerability, and what they gain when doing so -- write an attack scenario. This will help us evaluate your report quickly, especially if the issue is complex. +* Whether this vulnerability public or known to third parties. If it is, please provide details. +* Whether we could mention your name in the changelogs. + +Once an issue is reported we use the following disclosure process: + +* When a report is received, we confirm the issue and determine its severity. +* If we know of specific third-party services or software based on DetectMateService that require mitigation before publication, those projects will be notified. +* Fixes are prepared for the last minor release of the latest major release. +* Patch releases are published for all fixed released versions.