From 00797e28725a7b2eb1a0cff075abd438297099c6 Mon Sep 17 00:00:00 2001 From: Liran Tal Date: Thu, 8 Aug 2019 23:17:34 +0300 Subject: [PATCH 1/2] feat(security): add responsible disclosure policy --- README.md | 2 +- SECURITY.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index 779decc9c6d7..e39781e35699 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ $ npm install --save tedious # Microsoft SQL Server - [Contributing](https://github.com/sequelize/sequelize/blob/master/CONTRIBUTING.md) ## Responsible disclosure -If you have any security issue to report, contact project maintainers privately. You can find contact information in [CONTACT.md](https://github.com/sequelize/sequelize/blob/master/CONTACT.md). +If you have security issues to report please refer to our [Responsible Disclosure Policy](./SECURITY.md) for more details. ## Resources diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..4550acfe6247 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,44 @@ +# Security Policy + +## Supported versions + +The following table describes the versions of this project that are currently supported with security updates: + +| Version | Supported | +| ------- | ------------------ | +| 3.x | :white_check_mark: | +| 4.x | :white_check_mark: | +| 5.x | :white_check_mark: | + +## Responsible disclosure security policy + +A responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities +without a fix by employing a process where vulnerabilities are first triaged in a private manner, and only publicly +disclosed after a reasonable time period that allows patching the vulnerability and provides an upgrade path for users. + +When contacting us directly via email, we will do our best efforts to respond in a reasonable time to resolve the issue. +When contacting a security program their disclosure policy will provide details on timeframe, processes and paid bounties. + +We kindly ask you to refrain from malicious acts that put our users, the project, or any of the project’s team members at +risk. + +## Reporting a security issue + +At Sequelize, we consider the security of our systems a top priority. But no matter how much effort we put into system +security, there can still be vulnerabilities present. + +If you discover a security vulnerability, please use one of the following means of communications to report it to us: + +* Report the security issue to the Node.js Security WG through the +[HackerOne program](https://hackerone.com/nodejs-ecosystem) for ecosystem modules on npm, or to +[Snyk Security Team](https://snyk.io/vulnerability-disclosure). They will help triage the security issue and work with +all involved parties to remediate and release a fix. + +Note that time-frame and processes are subject to each program’s own policy. + +* Report the security issue to the [project maintainers](./CONTACT.md) directly. If the report contains +highly sensitive information, you should consider reporting to one of the above mentioned disclosure programs that allow +sending the report over a secure medium. + +Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken into account to acknowledge +your contributions. From bcc1a0efa2efe1df6df793246a60a9defdb89660 Mon Sep 17 00:00:00 2001 From: Sushant Date: Sun, 11 Aug 2019 16:00:33 +0530 Subject: [PATCH 2/2] docs: update security.md --- SECURITY.md | 40 ++++++++++------------------------------ 1 file changed, 10 insertions(+), 30 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 4550acfe6247..3c8a05c83a38 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,39 +6,19 @@ The following table describes the versions of this project that are currently su | Version | Supported | | ------- | ------------------ | -| 3.x | :white_check_mark: | -| 4.x | :white_check_mark: | -| 5.x | :white_check_mark: | +| 3.x | :heavy_check_mark: | +| 4.x | :heavy_check_mark: | +| 5.x | :heavy_check_mark: | -## Responsible disclosure security policy +## Responsible disclosure policy -A responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities -without a fix by employing a process where vulnerabilities are first triaged in a private manner, and only publicly -disclosed after a reasonable time period that allows patching the vulnerability and provides an upgrade path for users. +At Sequelize, we prioritize security issues and will try to fix them as soon as they are disclosed. -When contacting us directly via email, we will do our best efforts to respond in a reasonable time to resolve the issue. -When contacting a security program their disclosure policy will provide details on timeframe, processes and paid bounties. +If you discover a security vulnerability, please reach the project maintainers privately. You can find related information in [CONTACT.md](./CONTACT.md). -We kindly ask you to refrain from malicious acts that put our users, the project, or any of the project’s team members at -risk. +After validating & discussing scope of security vulnerability, we will set a time-frame for patch distribution. This time-frame may vary depending upon the nature of vulnerability. -## Reporting a security issue +Once effected versions are patched you may report security issue to any Node.js security vulnerability database. A few which we have worked with in past are listed below. -At Sequelize, we consider the security of our systems a top priority. But no matter how much effort we put into system -security, there can still be vulnerabilities present. - -If you discover a security vulnerability, please use one of the following means of communications to report it to us: - -* Report the security issue to the Node.js Security WG through the -[HackerOne program](https://hackerone.com/nodejs-ecosystem) for ecosystem modules on npm, or to -[Snyk Security Team](https://snyk.io/vulnerability-disclosure). They will help triage the security issue and work with -all involved parties to remediate and release a fix. - -Note that time-frame and processes are subject to each program’s own policy. - -* Report the security issue to the [project maintainers](./CONTACT.md) directly. If the report contains -highly sensitive information, you should consider reporting to one of the above mentioned disclosure programs that allow -sending the report over a secure medium. - -Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken into account to acknowledge -your contributions. +- [NPM](https://www.npmjs.com/advisories/report) +- [Snyk.io](https://snyk.io/vulnerability-disclosure)