diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 00000000..eee6b260 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,43 @@ +# Security policy +1. [Supported Versions](#1-supported-versions) +2. [Vulnerability Report](#2-vulnerability-report) +3. [Security Disclosure](#3-security-disclosure) + +--- + +## 1. Supported Versions + +We are releasing patches to eliminate vulnerabilities, you can see below: + +| Version | Supported by | +| ----------- | ------------ | +| 0.1.x-0.4.x | N/A | + +--- + +## 2. Vulnerability Report + +The mTower command assigns the highest priority to all security bugs in mTower. We appreciate your efforts and +responsible disclosure of information to eliminate vulnerabilities. + +Please report security bugs by emailing the Lead Maintenance Specialist at t.drozdovsky@samsung.com. marked "SECURITY" or create an issue in the repository. +Our team will confirm your request and within 72 hours will try to prepare recommendations for elimination. Our team will keep you updated on the progress towards the fix until the full announcement of the patch release. During this process, the security team may request additional information or guidance. + +--- + +## 3. Security Disclosure + +When a security group receives a security error report as previously mentioned, it is assigned the highest priority and the person in charge. This person will coordinate the patch and release process, +including the following steps: + + * Confirm the problem and identify the affected versions. + * Check the code to find any similar problems. + * Prepare fixes for all releases still in maintenance. These fixes will + released as quickly as possible. + +We suggest the following format when disclosing vulnerabilities: + + * Your name and email. + * Include scope of vulnerability. Let us know who could use this exploit. + * Document steps to identify the vulnerability. It is important that we can reproduce your findings. + * How to exploit vulnerability, give us an attack scenario.