-
-
Notifications
You must be signed in to change notification settings - Fork 643
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update security policy: private advisory reporting (#16114)
NVDA now uses GitHubs new feature for reporting Security Issues privately through the advisory system. The security process should be updated to encourage using this new process rather than email
- Loading branch information
Showing
2 changed files
with
33 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| ### Summary | ||
| *A summary of the issue.* | ||
| *Include the class of vulnerability (e.g. denial of service, privilege escalation).* | ||
| *Describe the impact to the user or victim.* | ||
|
|
||
| ### Patch commit(s) | ||
| *Created publicly on NVDA when merging the advisory pull request(s)* | ||
| https://github.com/nvaccess/nvda/commit/ | ||
|
|
||
| ### Limitations | ||
| *Any caveats on when the software is vulnerable. For example, if only certain configurations are affected.* | ||
|
|
||
| ### Technical details | ||
|
|
||
| #### Proof of concept | ||
|
|
||
| #### Indicators of compromise | ||
|
|
||
| ### Workarounds | ||
|
|
||
| ### Timeline | ||
| *history of the disclosure and release process* | ||
| - Reported: YYYY/MM/DD | ||
| - Acknowledged by NV Access: YYYY/MM/DD | ||
| - Fix released - NVDA 20XX.YY: YYYY/MM/DD | ||
|
|
||
| ### For more information | ||
| If you have any questions or comments about this advisory: | ||
| * Email us at [[email protected]](mailto:[email protected]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,9 +1,11 @@ | ||
| # Reporting Security Issues | ||
|
|
||
| Please do not report security vulnerabilities through public GitHub issues. | ||
| Instead, please report them via an email to [email protected]. | ||
| You can report security issues directly through [a GitHub Security Advisory](https://github.com/nvaccess/nvda/security/advisories/new). | ||
| Please use [our advisory template](./projectDocs/issues/securityAdvisoryTemplate.md). | ||
| Alternatively, please report security issues via an email to [[email protected]](mailto:[email protected]). | ||
|
|
||
| You should receive an acknowledgement email response within 3 business days. | ||
| You should receive an acknowledgement in the advisory or via email response within 3 business days. | ||
| If for some reason you do not, please follow up via email to ensure we received your original message. | ||
|
|
||
| Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue. | ||
|
|
||