]> BookStack Code Mirror - bookstack/commitdiff
projects / bookstack / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: 0d312e5)
Added security policy md file
authorDan Brown <redacted>
Tue, 26 Oct 2021 15:09:41 +0000 (16:09 +0100)
committerDan Brown <redacted>
Tue, 26 Oct 2021 15:09:41 +0000 (16:09 +0100)
.github/SECURITY.md [new file with mode: 0644] patch | blob
readme.md patch | blob | history

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644 (file)
index 0000000..c2201a6
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,32 @@
+# Security Policy
+
+## Supported Versions
+
+Only the [latest version](https://github.com/BookStackApp/BookStack/releases) of BookStack is supported.
+We generally don't support older versions of BookStack due to maintenance effort and
+since we aim to provide a fairly stable upgrade path for new versions.
+
+## Security Notifications
+
+If you'd like to be notified of new potential security concerns you can [sign-up to the BookStack security mailing list](https://updates.bookstackapp.com/signup/bookstack-security-updates).
+
+## Reporting a Vulnerability
+
+If you've found an issue that likely has no impact to existing users (For example, in a development-only branch)
+feel free to raise it via a standard GitHub bug report issue.
+
+If the issue could have a security impact to BookStack instances, please use one of the below 
+methods to report the vulnerability:
+
+- Directly contact the lead maintainer [@ssddanbrown](https://github.com/ssddanbrown). 
+  - You will need to login to be able to see the email address on the [GitHub profile page](https://github.com/ssddanbrown).
+  - Alternatively you can send a DM via Twitter to [@ssddanbrown](https://twitter.com/ssddanbrown).
+- [Disclose via huntr.dev](https://huntr.dev/bounties/disclose)
+  - Bounties may be available to you through this platform.
+  - Be sure to use `https://github.com/BookStackApp/BookStack` as the repository URL.
+
+Please be patient while the vulnerability is being reviewed. Deploying the fix to address the vulnerability
+can often take a little time due to the amount of preparation required, to ensure the vulnerability has
+been covered, and to create the content required to adequately notify the user-base.
+
+Thank you for keeping BookStack instances safe!
\ No newline at end of file
diff --git a/readme.md b/readme.md
index 1ab54de6e51c13f8fd5dec4f63210fac0da5de7c..17ac9641bdc266d3940afb01b17761d8fe1a9a6f 100644 (file)
--- a/readme.md
+++ b/readme.md
@@ -157,7 +157,7 @@ Security information for administering a BookStack instance can be found on the
 
 If you'd like to be notified of new potential security concerns you can [sign-up to the BookStack security mailing list](https://updates.bookstackapp.com/signup/bookstack-security-updates).
 
-If you would like to report a security concern in a more confidential manner than via a GitHub issue, You can directly email the lead maintainer [ssddanbrown](https://github.com/ssddanbrown). You will need to login to be able to see the email address on the [GitHub profile page](https://github.com/ssddanbrown). Alternatively you can send a DM via twitter to [@ssddanbrown](https://twitter.com/ssddanbrown).
+If you would like to report a security concern, details of doing so can [can be found here](https://github.com/BookStackApp/BookStack/blob/master/.github/SECURITY.md).
 
 ## ♿ Accessibility
 
The core source code for the BookStack project.
Morty Proxy This is a proxified and sanitized view of the page, visit original site.