From 0e9f23d8bf747060b5c9abecb2176bd03c8475da Mon Sep 17 00:00:00 2001 From: "Juan Picado @jotadeveloper" Date: Sat, 25 May 2019 22:11:13 +0200 Subject: [PATCH] feat: create security policy (#1322) * chore: create security policy * chore: add security.txt * chore: add public gpg key * chore: add security policy notification * chore: add snyk and npmjs security report links * chore: update security vulnerability description * chore: update readme * chore: update README.md * chore: update SECURITY.md * chore: update SECURITY.md * chore: update SECURITY.md * chore: update SECURITY.md * chore: update security.md * chore: update SECURITY.md --- README.md | 4 ++++ SECURITY.md | 30 ++++++++++++++++++++++++++++++ security.txt | 5 +++++ 3 files changed, 39 insertions(+) create mode 100644 SECURITY.md create mode 100644 security.txt diff --git a/README.md b/README.md index df56d64d7..03324c4f3 100644 --- a/README.md +++ b/README.md @@ -164,6 +164,10 @@ Verdaccio aims to support all features of a standard npm client that make sense - npm audit - **supported** +## Report a vulnerability + +If you want to report a security vulnerability, please follow the steps which we have defined for you in our [security policy](https://github.com/verdaccio/verdaccio/security/policy). + ## Core Team The core team is the responsable for drive this project, team is ordered by antiquity and areas of responsability. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..9607505a0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,30 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 2.x | :x: | +| 3.x | :white_check_mark: | +| 4.x | :white_check_mark: | + +## Reporting a Vulnerability + +At Verdaccio, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you've discovered a vulnerability, please follow the guidelines below to report it to our team: + +* Report it either [Snyk Security Team](https://snyk.io/vulnerability-disclosure/) or [npmjs Security Team](https://www.npmjs.com/advisories/report?package=verdaccio), they will be in contact with us in case of confirming the vulnerability. +* E-mail your findings to [verdaccio@pm.me](mailto:verdaccio@pm.me). If the report contains highly sensitive information, please consider encrypting your findings using our [PGP key](https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc). + +Please follow these rules when testing/reporting vulnerabilities: +* Do not take advantage of the vulnerability you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability. +* Do not read, modify or delete data that isn't your own. +* We ask that you do not disclose the findings to third parties until it has been resolved. + +What we promise: +* We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date. +* We will keep you informed during all stages of resolving the problem. +* To show our appreciation for your effort and cooperation during the report, we will list your name and a link to a personal website/social network profile on the page below so that the public can know you've helped keep Verdaccio secure. + diff --git a/security.txt b/security.txt new file mode 100644 index 000000000..b243ac559 --- /dev/null +++ b/security.txt @@ -0,0 +1,5 @@ +Contact: verdaccio@pm.me +Encryption: https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc +Acknowledgments: https://verdaccio.org/thanks.html +Preferred-Languages: en +Policy: https://github.com/verdaccio/verdaccio/security/policy