From 9af50dff722daedd1d8a46d1e3b54edc11998c59 Mon Sep 17 00:00:00 2001 From: Kristyl Gomes <31962545+kristyldatical@users.noreply.github.com> Date: Fri, 28 Jan 2022 08:54:12 -0600 Subject: [PATCH] Liquibase Responsible Disclosure Policy --- SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..e209fe793be --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,36 @@ + +# Responsible Disclosure Policy + +We encourage security researchers and users to share the details of any suspected vulnerabilities with the Liquibase Information Security Team by submitting the relevant information. Liquibase will review the submission to determine if the finding is valid and has not been previously reported. We require submitters to include detailed information with steps for us to reproduce the vulnerability. + + +## Our Commitment: +If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, Liquibase commits to: +* Working with you to understand and validate the issue +* Addressing the risk (if deemed appropriate by Liquibase) + +## Noncompliance: + +Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Liquibase will deem the submission as noncompliant with this Responsible Disclosure Policy. + +In addition, to remain compliant you are prohibited from: +* Accessing, downloading, or modifying data residing in an account that does not belong to you +* Executing or attempting to execute any “Denial of Service” attack +* Posting, transmitting, uploading, linking to, sending, or storing any malicious software +* Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages +* Testing in a manner that would degrade the operation of any Liquibase systems +* Testing third-party applications, websites, or services that integrate with or link to Liquibase systems + +## How to Submit a Vulnerability + +While we are happy to receive vulnerability information in any form, we appreciate discrete submission via email to Liquibase's Information Security Team at infosec@liquibase.com with the following details about the security issue. + +### Submission Details: + +* Summary title (Help us get an idea of what this vulnerability is about) +* Vulnerability details + * Description (Describe the vulnerability and its impact) + * Provide a proof of concept or replication steps +* Submitter’s email + +While we greatly appreciate community reports regarding security issues, at this time Liquibase does not provide compensation for vulnerability reports.