|
| 1 | +### TL;DR |
| 2 | + |
| 3 | +We use a simplified version of [Golang Security Policy](https://golang.org/security). |
| 4 | +For example, for now we skip CVE assignment. |
| 5 | + |
| 6 | +### Reporting a Security Bug |
| 7 | + |
| 8 | +Please report to us any issues you find. This document explains how to do that and what to expect in return. |
| 9 | + |
| 10 | +All security bugs in our releases should be reported by email to [email protected]. |
| 11 | +This mail is delivered to a small security team. |
| 12 | +Your email will be acknowledged within 24 hours, and you'll receive a more detailed response |
| 13 | +to your email within 72 hours indicating the next steps in handling your report. |
| 14 | +For critical problems, you can encrypt your report using our PGP key (listed below). |
| 15 | + |
| 16 | +Please use a descriptive subject line for your report email. |
| 17 | +After the initial reply to your report, the security team will |
| 18 | +endeavor to keep you informed of the progress being made towards a fix and full announcement. |
| 19 | +These updates will be sent at least every five days. |
| 20 | +In reality, this is more likely to be every 24-48 hours. |
| 21 | + |
| 22 | +If you have not received a reply to your email within 48 hours or you have not heard from the security |
| 23 | +team for the past five days please contact us by email to [email protected] or by Telegram message |
| 24 | +to [our support](https://t.me/highload_support). |
| 25 | +Please note that [email protected] list includes all developers, who may be outside our opensource security team. |
| 26 | +When escalating on this list, please do not disclose the details of the issue. |
| 27 | +Simply state that you're trying to reach a member of the security team. |
| 28 | + |
| 29 | +### Flagging Existing Issues as Security-related |
| 30 | + |
| 31 | +If you believe that an existing issue is security-related, we ask that you send an email to [email protected]. |
| 32 | +The email should include the issue ID and a short description of why it should be handled according to this security policy. |
| 33 | + |
| 34 | +### Disclosure Process |
| 35 | + |
| 36 | +Our project uses the following disclosure process: |
| 37 | + |
| 38 | +- Once the security report is received it is assigned a primary handler. This person coordinates the fix and release process. |
| 39 | +- The issue is confirmed and a list of affected software is determined. |
| 40 | +- Code is audited to find any potential similar problems. |
| 41 | +- Fixes are prepared for the two most recent major releases and the head/master revision. These fixes are not yet committed to the public repository. |
| 42 | +- To notify users, a new issue without security details is submitted to our GitHub repository. |
| 43 | +- Three working days following this notification, the fixes are applied to the public repository and a new release is issued. |
| 44 | +- On the date that the fixes are applied, announcement is published in the issue. |
| 45 | + |
| 46 | +This process can take some time, especially when coordination is required with maintainers of other projects. |
| 47 | +Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow |
| 48 | +the process described above to ensure that disclosures are handled consistently. |
| 49 | + |
| 50 | +### Receiving Security Updates |
| 51 | +The best way to receive security announcements is to subscribe ("Watch") to our repository. |
| 52 | +Any GitHub issues pertaining to a security issue will be prefixed with [security]. |
| 53 | + |
| 54 | +### Comments on This Policy |
| 55 | +If you have any suggestions to improve this policy, please send an email to [email protected] for discussion. |
| 56 | + |
| 57 | + |
| 58 | + |
| 59 | +We accept PGP-encrypted email, but the majority of the security team are not regular PGP users |
| 60 | +so it's somewhat inconvenient. Please only use PGP for critical security reports. |
| 61 | + |
| 62 | +``` |
| 63 | +-----BEGIN PGP PUBLIC KEY BLOCK----- |
| 64 | +
|
| 65 | +mQINBFzdjYUBEACa3YN+QVSlnXofUjxr+YrmIaF+da0IUq+TRM4aqUXALsemEdGh |
| 66 | +yIl7Z6qOOy1d2kPe6t//H9l/92lJ1X7i6aEBK4n/pnPZkwbpy9gGpebgvTZFvcbe |
| 67 | +mFhF6k1FM35D8TxneJSjizPyGhJPqcr5qccqf8R64TlQx5Ud1JqT2l8P1C5N7gNS |
| 68 | +lEYXq1h4zBCvTWk1wdeLRRPx7Bn6xrgmyu/k61dLoJDvpvWNATVFDA67oTrPgzTW |
| 69 | +xtLbbk/xm0mK4a8zMzIpNyz1WkaJW9+4HFXaL+yKlsx7iHe2O7VlGoqS0kdeQup4 |
| 70 | +1HIw/P7yc0jBlNMLUzpuA6ElYUwESWsnCI71YY1x4rKgI+GqH1mWwgn7tteuXQtb |
| 71 | +Zj0vEdjK3IKIOSbzbzAvSbDt8F1+o7EMtdy1eUysjKSQgFkDlT6JRmYvEup5/IoG |
| 72 | +iknh/InQq9RmGFKii6pXWWoltC0ebfCwYOXvymyDdr/hYDqJeHS9Tenpy86Doaaf |
| 73 | +HGf5nIFAMB2G5ctNpBwzNXR2MAWkeHQgdr5a1xmog0hS125usjnUTet3QeCyo4kd |
| 74 | +gVouoOroMcqFFUXdYaMH4c3KWz0afhTmIaAsFFOv/eMdadVA4QyExTJf3TAoQ+kH |
| 75 | +lKDlbOAIxEZWRPDFxMRixaVPQC+VxhBcaQ+yNoaUkM0V2m8u8sDBpzi1OQARAQAB |
| 76 | +tDxPU1MgU2VjdXJpdHksIEhpZ2hsb2FkIExURCA8b3NzLXNlY3VyaXR5QGhpZ2hs |
| 77 | +b2FkLnNvbHV0aW9ucz6JAlQEEwEIAD4WIQRljYp380uKq2g8TeqsQcvu+Qp2TAUC |
| 78 | +XN2NhQIbAwUJB4YfgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCsQcvu+Qp2 |
| 79 | +TKmED/96YoQoOjD28blFFrigvAsiNcNNZoX9I0dX1lNpD83fBJf+/9i+x4jqUnI5 |
| 80 | +5XK/DFTDbhpw8kQBpxS9eEuIYnuo0RdLLp1ctNWTlpwfyHn92mGddl/uBdYHUuUk |
| 81 | +cjhIQcFaCcWRY+EpamDlv1wmZ83IwBr8Hu5FS+/Msyw1TBvtTRVKW1KoGYMYoXLk |
| 82 | +BzIglRPwn821B6s4BvK/RJnZkrmHMBZBfYMf+iSMSYd2yPmfT8wbcAjgjLfQa28U |
| 83 | +gbt4u9xslgKjuM83IqwFfEXBnm7su3OouGWqc+62mQTsbnK65zRFnx6GXRXC1BAi |
| 84 | +6m9Tm1PU0IiINz66ainquspkXYeHjd9hTwfR3BdFnzBTRRM01cKMFabWbLj8j0p8 |
| 85 | +fF4g9cxEdiLrzEF7Yz4WY0mI4Cpw4eJZfsHMc07Jn7QxfJhIoq+rqBOtEmTjnxMh |
| 86 | +aWeykoXMHlZN4K0ZrAytozVH1D4bugWA9Zuzi9U3F9hrVVABm11yyhd2iSqI6/FR |
| 87 | +GcCFOCBW1kEJbzoEguub+BV8LDi8ldljHalvur5k/VFhoDBxniYNsKmiCLVCmDWs |
| 88 | +/nF84hCReAOJt0vDGwqHe3E2BFFPbKwdJLRNkjxBY0c/pvaV+JxbWQmaxDZNeIFV |
| 89 | +hFcVGp48HNY3qLWZdsQIfT9m1masJFLVuq8Wx7bYs8Et5eFnH7kCDQRc3Y2FARAA |
| 90 | +2DJWAxABydyIdCxgFNdqnYyWS46vh2DmLmRMqgasNlD0ozG4S9bszBsgnUI2Xs06 |
| 91 | +J76kFRh8MMHcu9I4lUKCQzfrA4uHkiOK5wvNCaWP+C6JUYNHsqPwk/ILO3gtQ/Ws |
| 92 | +LLf/PW3rJZVOZB+WY8iaYc20l5vukTaVw4qbEi9dtLkJvVpNHt//+jayXU6s3ew1 |
| 93 | +2X5xdwyAZxaxlnzFaY/Xo/qR+bZhVFC0T9pAECnHv9TVhFGp0JE9ipPGnro5xTIS |
| 94 | +LttdAkzv4AuSVTIgWgTkh8nN8t7STJqfPEv0I12nmmYHMUyTYOurkfskF3jY2x6x |
| 95 | +8l02NQ4d5KdC3ReV1j51swrGcZCwsWNp51jnEXKwo+B0NM5OmoRrNJgF2iDgLehs |
| 96 | +hP00ljU7cB8/1/7kdHZStYaUHICFOFqHzg415FlYm+jpY0nJp/b9BAO0d0/WYnEe |
| 97 | +Xjihw8EVBAqzEt4kay1BQonZAypeYnGBJr7vNvdiP+mnRwly5qZSGiInxGvtZZFt |
| 98 | +zL1E3osiF+muQxFcM63BeGdJeYXy+MoczkWa4WNggfcHlGAZkMYiv28zpr4PfrK9 |
| 99 | +mvj4Nu8s71PE9pPpBoZcNDf9v1sHuu96jDSITsPx5YMvvKZWhzJXFKzk6YgAsNH/ |
| 100 | +MF0G+/qmKJZpCdvtHKpYM1uHX85H81CwWJFfBPthyD8AEQEAAYkCPAQYAQgAJhYh |
| 101 | +BGWNinfzS4qraDxN6qxBy+75CnZMBQJc3Y2FAhsMBQkHhh+AAAoJEKxBy+75CnZM |
| 102 | +Rn8P/RyL1bhU4Q4WpvmlkepCAwNA0G3QvnKcSZNHEPE5h7H3IyrA/qy16A9eOsgm |
| 103 | +sthsHYlo5A5lRIy4wPHkFCClMrMHdKuoS72//qgw+oOrBcwb7Te+Nas+ewhaJ7N9 |
| 104 | +vAX06vDH9bLl52CPbtats5+eBpePgP3HDPxd7CWHxq9bzJTbzqsTkN7JvoovR2dP |
| 105 | +itPJDij7QYLYVEM1t7QxUVpVwAjDi/kCtC9ts5L+V0snF2n3bHZvu04EXdpvxOQI |
| 106 | +pG/7Q+/WoI8NU6Bb/FA3tJGYIhSwI3SY+5XV/TAZttZaYSh2SD8vhc+eo+gW9sAN |
| 107 | +xa+VESBQCht9+tKIwEwHs1efoRgFdbwwJ2c+33+XydQ6yjdXoX1mn2uyCr82jorZ |
| 108 | +xTzbkY04zr7oZ+0fLpouOFg/mrSL4w2bWEhdHuyoVthLBjnRme0wXCaS3g3mYdLG |
| 109 | +nSUkogOGOOvvvBtoq/vfx0Eu79piUtw5D8yQSrxLDuz8GxCrVRZ0tYIHb26aTE9G |
| 110 | +cDsW/Lg5PjcY/LgVNEWOxDQDFVurlImnlVJFb3q+NrWvPbgeIEWwJDCay/z25SEH |
| 111 | +k3bSOXLp8YGRnlkWUmoeL4g/CCK52iAAlfscZNoKMILhBnbCoD657jpa5GQKJj/U |
| 112 | +Q8kjgr7kwV/RSosNV9HCPj30mVyiCQ1xg+ZLzMKXVCuBWd+G |
| 113 | +=lnt2 |
| 114 | +-----END PGP PUBLIC KEY BLOCK----- |
| 115 | +``` |
0 commit comments