diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 9976a1773..d4876475f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -11,12 +11,13 @@ Here are some guidelines that will help us integrate your work! You are welcome to create pull requests on any of those subjects: * 🐛 `:bug:` bug fix -* 🔒 `:lock:` security * 🌐 `:globe_with_meridians:` translation / i18n / l10n If you want to implement a **new feature**, please [create a corresponding ticket](https://sourceforge.net/p/itop/tickets/new/) for review. If you ever want to begin implementation, do so in a fork, and add a link to the corresponding commits in the ticket. +For all security related subjects, please see our [security policy](SECURITY.md). + All **datamodel modification** should be done in an extension. Beware that such change would impact all existing customers, and could prevent them from upgrading! diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..360d282f7 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,36 @@ +# 🔒 Reporting vulnerabilities + +We take all security bugs seriously. Thank you for improving the security of iTop! We appreciate your efforts and +responsible disclosure and will make every effort to acknowledge your contributions. + + +## ✉️ How to report + +### iTop vulnerabilities +Please send a procedure to reproduce iTop vulnerabilities to [itop-security@combodo.com](mailto:itop-security@combodo.com). + +You can send us a standard "given / then / when" report, including iTop version, impacts, and maybe installed modules or data if they are +needed to reproduce. + +### Dependencies vulnerabilities +Report security bugs in third-party modules to the person or team maintaining the module, and notify us of this report by sending an email +to [itop-security@combodo.com](mailto:itop-security@combodo.com). + + + +## 📆 Disclosure Policy + +Report sent to us will be acknowledged within the week. + +Then, a Combodo developer will be assigned to the reported issue and will: + +* confirm the problem and determine the affected iTop versions +* audit the code to search any potential similar problems +* try to find a workaround if any +* create fixes for all releases still under maintenance +* send you the commit(s) for review +* send you the next version(s) that will contain the fix, and the estimated release dates + +Security issues always take precedence over bug fixes and feature work. + +The assignee will keep you informed of the resolution progress, and may ask you for additional information or guidance.