- Reporting security problems to the project owner
- Security point of contact
- Vulnerability response process
DO NOT CREATE AN ISSUE to report a security problem. Instead, please send an email with the security report directly to the security point of contact.
All security reports should contain a detailed summary of the issue and suggested steps for resolution.
Please email [email protected] to get help reaching the responsible party.
If a vulnerability is discovered or reported in the production branch, the repository maintainers will follow the following process to triage, respond, and remediate:
The first step is to find out the root cause, nature and scope of the vulnerability.
- Find out who knows about the vulnerability and who is affected.
- Find out what the impact of the vulnerability is, including potentially exposed data.
- Perform root cause analysis and identify the best fix for the vulnerability.
After the initial assessment and containment, a vulnerability response plan will be created and executed to patch the vulnerable application.
Deploy the patch to the production version of the affected software. Contact the vulnerability reporter and have them validate that the steps taken have resolved the vulnerability that was reported.
If the affected code or software is distributed to parties outside of Vermeer, create a GitHub Security Advisory in the repository using this template that summarizes the vulnerability, its scope, and what actions need to be taken by affected parties. Post the security advisory in a public place accessible to all affected parties or contact them directly.