diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..0c0c8bd4 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,84 @@ +# Security Policy + +## Reporting a Vulnerability + +At GNU Wget, we take security seriously and appreciate the efforts of security +researchers in identifying and disclosing vulnerabilities responsibly. If you +believe you've discovered a security vulnerability in GNU Wget, we encourage you +to disclose it to us privately and work with us to ensure it is addressed +promptly and appropriately. + +To report a vulnerability, please contact the maintainers directly via email. +The names and contact details of the current maintainers is always available via +the AUTHORS file in this repository. In order to send an encrypted email, +please use the keyring available at the following URL: +https://savannah.gnu.org/project/release-gpgkeys.php?group=wget + + +Please include the following information in your report: + +- A detailed description of the vulnerability +- The version(s) of GNU Wget that are affected. +- Steps to reproduce the vulnerability. +- Any proof-of-concept or exploit code, if applicable. +- Your contact information for coordination and follow-up. + +Once we receive your report, we will acknowledge receipt and work with you to +investigate the issue. We work on GNU Wget on a volunteer basis and as such may +face delays in responding immediately. We aim to respond to initial reports +within 5 working days and will keep you informed of our progress throughout the +resolution process. + +Please refrain from disclosing the vulnerability publicly until we have had an +opportunity to investigate and address it. We appreciate your cooperation in +helping to keep GNU Wget and its users secure. + +## Vulnerability Disclosure Policy + +Once a security vulnerability has been identified and confirmed, we will take +the following steps: + +1. **Investigation**: We will promptly investigate the reported vulnerability to + verify its authenticity and determine its scope and impact. + +2. **Resolution**: Once validated, we will develop and test a fix for the + vulnerability. We will strive to address the issue as quickly as possible and + prepare a patch for release. + +3. **Coordination**: We will work with the reporter to ensure that the + vulnerability is disclosed responsibly and coordinated with the release of + the fix. + +4. **Release**: Upon completion of the fix and any necessary testing, we will + release a new version of GNU Wget that addresses the vulnerability. We will + provide appropriate credit to the reporter in the release notes, unless + otherwise requested. + +5. **Public Disclosure**: We will coordinate the public disclosure of the + vulnerability with the reporter and other relevant stakeholders. Once the fix + is widely available, we will publish an advisory detailing the vulnerability + and its resolution. + +We strive to follow these steps in a timely and transparent manner, while +prioritizing the security and stability of GNU Wget and its users. + +## Responsible Disclosure Guidelines + +In order to protect our users and systems, we ask that security researchers +adhere to the following guidelines when reporting vulnerabilities to GNU Wget: + +- **Responsible Disclosure**: Please disclose vulnerabilities to us privately + and allow us a reasonable amount of time to investigate and address them + before disclosing them publicly. + +- **Cooperation**: We appreciate your cooperation and collaboration throughout + the disclosure process. We will do our best to keep you informed of our + progress and coordinate the release of information with you. + +- **Respect**: Please respect our users' privacy and refrain from any actions + that could cause harm or disrupt our systems. We ask that you do not exploit + or disclose vulnerabilities before they have been resolved. + +By following these guidelines, you can help us maintain the security and +integrity of GNU Wget for the benefit of all users. We thank you for your +contributions to our project and for helping to make the internet a safer place.