verdaccio/SECURITY.md

# Security Policy

## Supported Versions

Use this section to tell people about which versions of your project are
currently being supported with security updates.

| Version | Supported          |
| ------- | ------------------ |
| 2.x   | :x:                |
| 3.x   | :white_check_mark: |
| 4.x   | :white_check_mark: |

## Reporting a Vulnerability

At Verdaccio, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you've discovered a vulnerability, please follow the guidelines below to report it to our team:

* Report it either [Snyk Security Team](https://snyk.io/vulnerability-disclosure/) or [npmjs Security Team](https://www.npmjs.com/advisories/report?package=verdaccio), they will be in contact with us in case of confirming the vulnerability.
* E-mail your findings to [verdaccio@pm.me](mailto:verdaccio@pm.me). If the report contains highly sensitive information, please consider encrypting your findings using our [PGP key](https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc).

Please follow these rules when testing/reporting vulnerabilities:
* Do not take advantage of the vulnerability you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability.
* Do not read, modify or delete data that isn't your own.
* We ask that you do not disclose the findings to third parties until it has been resolved.

What we promise:
* We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
* We will keep you informed during all stages of resolving the problem.
* To show our appreciation for your effort and cooperation during the report, we will list your name and a link to a personal website/social network profile on the page below so that the public can know you've helped keep Verdaccio secure.
feat: create security policy (#1322) * chore: create security policy * chore: add security.txt * chore: add public gpg key * chore: add security policy notification * chore: add snyk and npmjs security report links * chore: update security vulnerability description * chore: update readme * chore: update README.md * chore: update SECURITY.md * chore: update SECURITY.md * chore: update SECURITY.md * chore: update SECURITY.md * chore: update security.md * chore: update SECURITY.md 2019-05-25 15:11:13 -05:00			`# Security Policy`

			`## Supported Versions`

			`Use this section to tell people about which versions of your project are`
			`currently being supported with security updates.`

			`\| Version \| Supported \|`
			`\| ------- \| ------------------ \|`
			`\| 2.x \| :x: \|`
			`\| 3.x \| :white_check_mark: \|`
			`\| 4.x \| :white_check_mark: \|`

			`## Reporting a Vulnerability`

			`At Verdaccio, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you've discovered a vulnerability, please follow the guidelines below to report it to our team:`

			`* Report it either [Snyk Security Team](https://snyk.io/vulnerability-disclosure/) or [npmjs Security Team](https://www.npmjs.com/advisories/report?package=verdaccio), they will be in contact with us in case of confirming the vulnerability.`
			`* E-mail your findings to [verdaccio@pm.me](mailto:verdaccio@pm.me). If the report contains highly sensitive information, please consider encrypting your findings using our [PGP key](https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc).`

			`Please follow these rules when testing/reporting vulnerabilities:`
			`* Do not take advantage of the vulnerability you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability.`
			`* Do not read, modify or delete data that isn't your own.`
			`* We ask that you do not disclose the findings to third parties until it has been resolved.`

			`What we promise:`
			`* We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.`
			`* We will keep you informed during all stages of resolving the problem.`
			`* To show our appreciation for your effort and cooperation during the report, we will list your name and a link to a personal website/social network profile on the page below so that the public can know you've helped keep Verdaccio secure.`