hedgedoc/SECURITY.md

<!--
SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)

SPDX-License-Identifier: CC-BY-SA-4.0
-->

# Security Policy

## Supported Versions

Only the latest release of HedgeDoc is supported. We don't have the
ressources to maintain multiple versions.

## Reporting a Vulnerability

Please go to ["Issues" > "New" > "Report a security vulnerability"][report]. This
allows you to get in direct, but private contact with us. There is some more detailed
documentation [available by GitHub][github_report_docs].

> **Tip**: In this form, only the title and description are mandatory [so don't
> worry if you can't fill everything]. […] However, we recommend security
> researchers provide as much information as possible on the form so that [we]
> can make an informed decision about the submitted report.  You can adopt the
> template used by [GitHub's] security researchers from the GitHub Security
> Lab, which is available on the [github/securitylab
> repository][best_practice]."

We'll get back to you as soon as possible. You can expect an answer within
3 days, in rare cases within a month. If you don't get a reply within a month,
please reach out for other contact addresses in the [community chat][community_chat].

When your findings are accepted as a security issue, we'll work on a fix or
at least a workaround for the next release. With the release that contained
the fix, we want to encourage you to publish your findings as you like.

We'll also credit you in the release notes.

When your findings are not accepted as a security issue, feel free to write
a fix yourself and contribute it to HedgeDoc, as well as publish them as you
like and allow people to make an informed decision about using HedgeDoc.

If you have any further questions, feel free to reach out to the
[community chat][community_chat] or the mentioned contacts above.

[repo]: https://github.com/hedgedoc/hedgedoc
[report]: https://github.com/hedgedoc/hedgedoc/security/advisories/new
[github_report_docs]: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability
[community_chat]: https://chat.hedgedoc.org
[best_practice]: https://github.com/github/securitylab/blob/main/docs/report-template.md
added reuse information Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-01-05 16:12:38 -05:00			`<!--`
Change year in copyright to 2021 Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> 2021-01-06 15:36:07 -05:00			`SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)`
added reuse information Signed-off-by: Philip Molares <philip.molares@udo.edu> 2021-01-05 16:12:38 -05:00
			`SPDX-License-Identifier: CC-BY-SA-4.0`
			`-->`

Import meta-files These files are imported from HedgeDoc 1 / the master branch. Signed-off-by: David Mehren <git@herrmehren.de> 2022-01-23 16:02:58 -05:00			`# Security Policy`

			`## Supported Versions`

Update security.md to match state in master branch Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2021-09-21 09:19:46 -04:00			`Only the latest release of HedgeDoc is supported. We don't have the`
Import meta-files These files are imported from HedgeDoc 1 / the master branch. Signed-off-by: David Mehren <git@herrmehren.de> 2022-01-23 16:02:58 -05:00			`ressources to maintain multiple versions.`

			`## Reporting a Vulnerability`

docs(SECURITY): Shift vulnerability reporting directly to GitHub This patch adjust the SECURITY.md to follow a new workflow, which results in reports ending up on GitHub without going through my mailbox, this frees resources on my side as well as reducing the bus factor. Since most of the time, I do an editorial copy of the content of the E-Mail into GitHub's vulnerability template, this should help to reduce manual processes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2023-01-23 15:28:43 -05:00			`Please go to ["Issues" > "New" > "Report a security vulnerability"][report]. This`
			`allows you to get in direct, but private contact with us. There is some more detailed`
			`documentation [available by GitHub][github_report_docs].`

			`> Tip: In this form, only the title and description are mandatory [so don't`
			`> worry if you can't fill everything]. […] However, we recommend security`
			`> researchers provide as much information as possible on the form so that [we]`
			`> can make an informed decision about the submitted report. You can adopt the`
			`> template used by [GitHub's] security researchers from the GitHub Security`
			`> Lab, which is available on the [github/securitylab`
			`> repository][best_practice]."`
Import meta-files These files are imported from HedgeDoc 1 / the master branch. Signed-off-by: David Mehren <git@herrmehren.de> 2022-01-23 16:02:58 -05:00
			`We'll get back to you as soon as possible. You can expect an answer within`
			`3 days, in rare cases within a month. If you don't get a reply within a month,`
fix: typo in SECURITY.md Also moved all links to the bottom for easier changing of urls Signed-off-by: Philip Molares <philip.molares@udo.edu> 2023-01-21 05:28:45 -05:00			`please reach out for other contact addresses in the [community chat][community_chat].`
Import meta-files These files are imported from HedgeDoc 1 / the master branch. Signed-off-by: David Mehren <git@herrmehren.de> 2022-01-23 16:02:58 -05:00
fix: typo in SECURITY.md Also moved all links to the bottom for easier changing of urls Signed-off-by: Philip Molares <philip.molares@udo.edu> 2023-01-21 05:28:45 -05:00			`When your findings are accepted as a security issue, we'll work on a fix or`
Import meta-files These files are imported from HedgeDoc 1 / the master branch. Signed-off-by: David Mehren <git@herrmehren.de> 2022-01-23 16:02:58 -05:00			`at least a workaround for the next release. With the release that contained`
fix: typo in SECURITY.md Also moved all links to the bottom for easier changing of urls Signed-off-by: Philip Molares <philip.molares@udo.edu> 2023-01-21 05:28:45 -05:00			`the fix, we want to encourage you to publish your findings as you like.`
Import meta-files These files are imported from HedgeDoc 1 / the master branch. Signed-off-by: David Mehren <git@herrmehren.de> 2022-01-23 16:02:58 -05:00
			`We'll also credit you in the release notes.`

			`When your findings are not accepted as a security issue, feel free to write`
Update security.md to match state in master branch Signed-off-by: Erik Michelson <github@erik.michelson.eu> 2021-09-21 09:19:46 -04:00			`a fix yourself and contribute it to HedgeDoc, as well as publish them as you`
fix: typo in SECURITY.md Also moved all links to the bottom for easier changing of urls Signed-off-by: Philip Molares <philip.molares@udo.edu> 2023-01-21 05:28:45 -05:00			`like and allow people to make an informed decision about using HedgeDoc.`
Import meta-files These files are imported from HedgeDoc 1 / the master branch. Signed-off-by: David Mehren <git@herrmehren.de> 2022-01-23 16:02:58 -05:00
			`If you have any further questions, feel free to reach out to the`
fix: typo in SECURITY.md Also moved all links to the bottom for easier changing of urls Signed-off-by: Philip Molares <philip.molares@udo.edu> 2023-01-21 05:28:45 -05:00			`[community chat][community_chat] or the mentioned contacts above.`

docs(SECURITY): Shift vulnerability reporting directly to GitHub This patch adjust the SECURITY.md to follow a new workflow, which results in reports ending up on GitHub without going through my mailbox, this frees resources on my side as well as reducing the bus factor. Since most of the time, I do an editorial copy of the content of the E-Mail into GitHub's vulnerability template, this should help to reduce manual processes. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2023-01-23 15:28:43 -05:00			`[repo]: https://github.com/hedgedoc/hedgedoc`
			`[report]: https://github.com/hedgedoc/hedgedoc/security/advisories/new`
			`[github_report_docs]: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability`
			`[community_chat]: https://chat.hedgedoc.org`
			`[best_practice]: https://github.com/github/securitylab/blob/main/docs/report-template.md`