0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2024-12-16 21:56:25 -05:00

feat: create security policy (#1322)

* chore: create security policy

* chore: add security.txt

* chore: add public gpg key

* chore: add security policy notification

* chore: add snyk and npmjs security report links

* chore: update security vulnerability description

* chore: update readme

* chore: update README.md

* chore: update SECURITY.md

* chore: update SECURITY.md

* chore: update SECURITY.md

* chore: update SECURITY.md

* chore: update security.md

* chore: update SECURITY.md
This commit is contained in:
Juan Picado @jotadeveloper 2019-05-25 22:11:13 +02:00 committed by GitHub
parent 46eeb7e963
commit 0e9f23d8bf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 39 additions and 0 deletions

View file

@ -164,6 +164,10 @@ Verdaccio aims to support all features of a standard npm client that make sense
- npm audit - **supported**
## Report a vulnerability
If you want to report a security vulnerability, please follow the steps which we have defined for you in our [security policy](https://github.com/verdaccio/verdaccio/security/policy).
## Core Team
The core team is the responsable for drive this project, team is ordered by antiquity and areas of responsability.

30
SECURITY.md Normal file
View file

@ -0,0 +1,30 @@
# Security Policy
## Supported Versions
Use this section to tell people about which versions of your project are
currently being supported with security updates.
| Version | Supported |
| ------- | ------------------ |
| 2.x | :x: |
| 3.x | :white_check_mark: |
| 4.x | :white_check_mark: |
## Reporting a Vulnerability
At Verdaccio, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you've discovered a vulnerability, please follow the guidelines below to report it to our team:
* Report it either [Snyk Security Team](https://snyk.io/vulnerability-disclosure/) or [npmjs Security Team](https://www.npmjs.com/advisories/report?package=verdaccio), they will be in contact with us in case of confirming the vulnerability.
* E-mail your findings to [verdaccio@pm.me](mailto:verdaccio@pm.me). If the report contains highly sensitive information, please consider encrypting your findings using our [PGP key](https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc).
Please follow these rules when testing/reporting vulnerabilities:
* Do not take advantage of the vulnerability you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability.
* Do not read, modify or delete data that isn't your own.
* We ask that you do not disclose the findings to third parties until it has been resolved.
What we promise:
* We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
* We will keep you informed during all stages of resolving the problem.
* To show our appreciation for your effort and cooperation during the report, we will list your name and a link to a personal website/social network profile on the page below so that the public can know you've helped keep Verdaccio secure.

5
security.txt Normal file
View file

@ -0,0 +1,5 @@
Contact: verdaccio@pm.me
Encryption: https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc
Acknowledgments: https://verdaccio.org/thanks.html
Preferred-Languages: en
Policy: https://github.com/verdaccio/verdaccio/security/policy