Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added security policy #3070

Merged
merged 7 commits into from Jul 27, 2022
Merged

Added security policy #3070

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3a40121
Added security policy draft
RunDevelopment Sep 11, 2021
1e27e69
Added an exception for low-severity ReDoS
RunDevelopment Sep 16, 2021
d66c465
Added links
RunDevelopment Sep 16, 2021
38e528b
Removed email address
RunDevelopment Mar 22, 2022
74b4342
One sentence per line
RunDevelopment Mar 22, 2022
defc5d7
Merge branch 'master' into Security-Policy
RunDevelopment Jul 26, 2022
7dc09fc
Link MAINTAINERS.md
RunDevelopment Jul 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
21 changes: 21 additions & 0 deletions SECURITY.md
View file
Open in desktop
@@ -0,0 +1,21 @@
# Security Policy

## Reporting a Vulnerability

***DO NOT CREATE AN ISSUE*** to report a vulnerability.
RunDevelopment marked this conversation as resolved.
Show resolved Hide resolved

Instead, please send an email to todo-security@example.com.
See [Responsible Disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) for more details.

### Procedure

1. After you send an email to todo-security@example.com, you should receive a response from the [Prism team](https://github.com/orgs/PrismJS/people) within 3 days.

We may require further information, so please keep in touch with us until the vulnerability has been fixed.

2. After the vulnerability has been confirmed and accepted, we will create a [security advisory](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories) and start working on a fix.

You will be [added as a collaborator](https://docs.github.com/en/code-security/security-advisories/adding-a-collaborator-to-a-security-advisory) (this requires a GitHub account).
At this point, all communication will occur using comments on the advisory and the [temporary private fork](https://docs.github.com/en/code-security/security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-security-vulnerability).

3. After the fix has been merged, we will make a new release and publish the security advisory within one week.