composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-12 23:14:18 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
fde6cac7a2e893caa56a36db6d3a03d7538084f8
iTop/SECURITY.md
Pierre Goiffon fde6cac7a2 📝 SECURITY: Add disclosure policy (#372) 
Co-authored-by: Molkobain <lajarige.guillaume@free.fr>
2022-12-13 18:15:25 +01:00

45 lines
2.0 KiB
Markdown
Raw Blame History

# 🔒 Reporting vulnerabilities
We take all security bugs seriously. Thank you for improving the security of iTop! We appreciate your efforts and
responsible disclosure and will make every effort to acknowledge your contributions.
## ✉️ How to report
### iTop vulnerabilities
Please send a procedure to reproduce iTop vulnerabilities to [itop-security@combodo.com](mailto:itop-security@combodo.com).
You can send us a standard "given / when / then" report, including iTop version, impacts, and maybe installed modules or data if they are
needed to reproduce.
### Dependencies vulnerabilities
Report security bugs in third-party modules to the person or team maintaining the module, and notify us of this report by sending an email
to [itop-security@combodo.com](mailto:itop-security@combodo.com).
## 🔍 Combodo acknowledgment and investigation
Report sent to us will be acknowledged within the week.
Then, a Combodo developer will be assigned to the reported issue and will:
* confirm the problem and determine the affected iTop versions
* audit the code to search any potential similar problems
* try to find a workaround if any
* create fixes for all releases still under maintenance
* send you the commit(s) for review
* send you the next version(s) that will contain the fix, and the estimated release dates
Security issues always take precedence over bug fixes and feature work.
The assignee will keep you informed of the resolution progress, and may ask you for additional information or guidance.
## 📆 Disclosure Policy
Once the fix is done and acknowledged by every stakeholder, it will be included in the next iTop version.
Mind we have at least 2 active branches (LTS and STS, see [iTop Community Releases [iTop Documentation]](https://www.itophub.io/wiki/page?id=latest:release:start))
The release communications will include the information of the vulnerability fix.
Corresponding GitHub advisories and CVE will be published 3 months after the iTop version release date so that iTop instances can be updated.
Reference in New Issue View Git Blame Copy Permalink