search

devicons / devicon

Set of icons representing programming languages, designing & development tools
https://devicon.dev
MIT License
9.19k stars 2.26k forks source link

[OTHER] Add a security policy #2129

Open Panquesito7 opened 4 months ago

Panquesito7 commented 4 months ago

I have searched through the issues and didn't find my problem.

What would you like to share?

We should add a security policy to properly report vulnerabilities in case there are any in our code. CC: @devicons/devicon__reviewers.

Additional information

No response

AnshSinghSonkhia commented 3 months ago

Hey @Panquesito7, May I write a Security_Vulnerability_Reporting_Policy.md ?

It could include the following topics (Let me know, anything to include or exclude):

  1. Introduction:

    • Purpose of the policy.
    • Importance of reporting vulnerabilities responsibly.

  2. Reporting Process:

    • How and where to report vulnerabilities (email, issue tracker, etc.).
    • Contact information for reporting vulnerabilities.
    • Response time expectations.

  3. Information Required:

    • Details to include in the vulnerability report (description, impact, steps to reproduce, etc.).
    • Request for proof-of-concept code or scripts (if applicable).
    • Request for contact information for further communication (optional).

  4. Encryption:

    • Instructions for encrypting sensitive vulnerability reports (if applicable).
    • Provide a link to your organization's PGP public key.

  5. Responsiveness:

    • Commitment to acknowledging receipt of vulnerability reports.
    • Timelines for assessing and addressing reported vulnerabilities.
    • Communication protocol for providing updates on the status of reported vulnerabilities.

  6. Public Disclosure:

    • Coordination process for determining the timing of public disclosure.
    • Commitment to providing users with sufficient time to update systems before public disclosure.

  7. Scope:

    • Clarification of what aspects of the project the policy covers (code, documentation, dependencies, configurations, etc.).

  8. Responsible Disclosure:

    • Encouragement for responsible disclosure of security vulnerabilities.
    • Commitment to acknowledging and addressing valid vulnerability reports.

  9. Acknowledgment:

    • Expression of gratitude to security researchers and contributors who report vulnerabilities.

  10. Policy Maintenance:

    • Commitment to regularly reviewing and updating the policy as necessary.
    • Notification process for users in case of policy updates.

  11. Legal Disclaimer (if applicable):

    • Clarification of legal implications related to vulnerability reporting and disclosure.
    • Disclaimer of liability for issues arising from vulnerability reporting and disclosure.