Skip to content

Security: solve-it-once/frostdrupal-static

Security

SECURITY.md

Security Policy

We take security seriously, and are committed to resolving security problems in a timely and responsible manner.

Our security protocol for reported vulnerabilities follows the common industry best practices:

  • Allow confidential, non-public reporting of vulnerabilities so they may be resolved prior to public disclosure
  • Resolve reported vulnerabilities within 90 days, acknowledging that any un-resolved vulnerabilities may be responsibly disclosed to the public by the original reporter following 90 days, and that the reporter is within their rights to note in their disclosure that we did not resolve the vulnerability in the stated window
  • Disclose all reported vulnerabilities in a central place in a uniform fashion, and further communicate the resolution to potentially-affected third parties whenever possible
  • Especially when time is a factor, provide a quick patch or other method of resolving the vulnerability for community use

We unfortunately do not have a bug bounty program at this time, but will do our best to acknowledge and otherwise-support any project contributor.

Support

For non-security bugs, requesting new features, etc., see our Support docs.

Reporting a Vulnerability

The project team and community take security seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

To report a security issue, email [email protected] and format the subject line like so:

[SECURITY: severity: project-name] Short description of vulnerability

The maintainer will reply quickly to acknowledge receipt of the report. Within 24 hours they will follow up with more information about how the report will be handled and disclosed, with an estimate of the turnaround time. As we work on fixes and disclosures, we will keep you informed of our progress, and may reach out with requests for additional information if you are willing to volunteer it.

Please report third-party vulnerabilities to the applicable third party.

How we will handle a report

When we receive a vulnerability report, we will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:

  1. Confirm the problem and determine the affected versions.
  2. Audit code to find any potential similar problems.
  3. Prepare fixes to apply to master, as well as quick patches as applicable
  4. Communicate progress to reporter
  5. Prepare for public disclosure

Security disclosures

The following vulnerabilities were reported to us on the dates in question, and their resolution within the window is noted.

  • (1970-01-01): [no CVE#] -- Example vulnerability reported via email by "Fake Person" to maintainer. Codebase required a modification to the sample example section. Vulnerability is completely resolved as of version 0.0.x, with no mitigating factors.

There aren’t any published security advisories