Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2435 from liquibase/kristyl-responsible-disclosur…
…e-policy Liquibase Responsible Disclosure Policy
- Loading branch information
Showing
1 changed file
with
36 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
|
|
||
| # Responsible Disclosure Policy | ||
|
|
||
| We encourage security researchers and users to share the details of any suspected vulnerabilities with the Liquibase Information Security Team by submitting the relevant information. Liquibase will review the submission to determine if the finding is valid and has not been previously reported. We require submitters to include detailed information with steps for us to reproduce the vulnerability. | ||
|
|
||
|
|
||
| ## Our Commitment: | ||
| If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, Liquibase commits to: | ||
| * Working with you to understand and validate the issue | ||
| * Addressing the risk (if deemed appropriate by Liquibase) | ||
|
|
||
| ## Noncompliance: | ||
|
|
||
| Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Liquibase will deem the submission as noncompliant with this Responsible Disclosure Policy. | ||
|
|
||
| In addition, to remain compliant you are prohibited from: | ||
| * Accessing, downloading, or modifying data residing in an account that does not belong to you | ||
| * Executing or attempting to execute any “Denial of Service” attack | ||
| * Posting, transmitting, uploading, linking to, sending, or storing any malicious software | ||
| * Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages | ||
| * Testing in a manner that would degrade the operation of any Liquibase systems | ||
| * Testing third-party applications, websites, or services that integrate with or link to Liquibase systems | ||
|
|
||
| ## How to Submit a Vulnerability | ||
|
|
||
| While we are happy to receive vulnerability information in any form, we appreciate discrete submission via email to Liquibase's Information Security Team at infosec@liquibase.com with the following details about the security issue. | ||
|
|
||
| ### Submission Details: | ||
|
|
||
| * Summary title (Help us get an idea of what this vulnerability is about) | ||
| * Vulnerability details | ||
| * Description (Describe the vulnerability and its impact) | ||
| * Provide a proof of concept or replication steps | ||
| * Submitter’s email | ||
|
|
||
| While we greatly appreciate community reports regarding security issues, at this time Liquibase does not provide compensation for vulnerability reports. |