mirror of
https://github.com/mirror/wget.git
synced 2024-12-26 12:50:44 +08:00
* SECURITY.md: Add a file stating how to report security issues
This commit is contained in:
parent
4100339a2b
commit
28009a048f
84
SECURITY.md
Normal file
84
SECURITY.md
Normal file
@ -0,0 +1,84 @@
|
||||
# Security Policy
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
At GNU Wget, we take security seriously and appreciate the efforts of security
|
||||
researchers in identifying and disclosing vulnerabilities responsibly. If you
|
||||
believe you've discovered a security vulnerability in GNU Wget, we encourage you
|
||||
to disclose it to us privately and work with us to ensure it is addressed
|
||||
promptly and appropriately.
|
||||
|
||||
To report a vulnerability, please contact the maintainers directly via email.
|
||||
The names and contact details of the current maintainers is always available via
|
||||
the AUTHORS file in this repository. In order to send an encrypted email,
|
||||
please use the keyring available at the following URL:
|
||||
https://savannah.gnu.org/project/release-gpgkeys.php?group=wget
|
||||
|
||||
|
||||
Please include the following information in your report:
|
||||
|
||||
- A detailed description of the vulnerability
|
||||
- The version(s) of GNU Wget that are affected.
|
||||
- Steps to reproduce the vulnerability.
|
||||
- Any proof-of-concept or exploit code, if applicable.
|
||||
- Your contact information for coordination and follow-up.
|
||||
|
||||
Once we receive your report, we will acknowledge receipt and work with you to
|
||||
investigate the issue. We work on GNU Wget on a volunteer basis and as such may
|
||||
face delays in responding immediately. We aim to respond to initial reports
|
||||
within 5 working days and will keep you informed of our progress throughout the
|
||||
resolution process.
|
||||
|
||||
Please refrain from disclosing the vulnerability publicly until we have had an
|
||||
opportunity to investigate and address it. We appreciate your cooperation in
|
||||
helping to keep GNU Wget and its users secure.
|
||||
|
||||
## Vulnerability Disclosure Policy
|
||||
|
||||
Once a security vulnerability has been identified and confirmed, we will take
|
||||
the following steps:
|
||||
|
||||
1. **Investigation**: We will promptly investigate the reported vulnerability to
|
||||
verify its authenticity and determine its scope and impact.
|
||||
|
||||
2. **Resolution**: Once validated, we will develop and test a fix for the
|
||||
vulnerability. We will strive to address the issue as quickly as possible and
|
||||
prepare a patch for release.
|
||||
|
||||
3. **Coordination**: We will work with the reporter to ensure that the
|
||||
vulnerability is disclosed responsibly and coordinated with the release of
|
||||
the fix.
|
||||
|
||||
4. **Release**: Upon completion of the fix and any necessary testing, we will
|
||||
release a new version of GNU Wget that addresses the vulnerability. We will
|
||||
provide appropriate credit to the reporter in the release notes, unless
|
||||
otherwise requested.
|
||||
|
||||
5. **Public Disclosure**: We will coordinate the public disclosure of the
|
||||
vulnerability with the reporter and other relevant stakeholders. Once the fix
|
||||
is widely available, we will publish an advisory detailing the vulnerability
|
||||
and its resolution.
|
||||
|
||||
We strive to follow these steps in a timely and transparent manner, while
|
||||
prioritizing the security and stability of GNU Wget and its users.
|
||||
|
||||
## Responsible Disclosure Guidelines
|
||||
|
||||
In order to protect our users and systems, we ask that security researchers
|
||||
adhere to the following guidelines when reporting vulnerabilities to GNU Wget:
|
||||
|
||||
- **Responsible Disclosure**: Please disclose vulnerabilities to us privately
|
||||
and allow us a reasonable amount of time to investigate and address them
|
||||
before disclosing them publicly.
|
||||
|
||||
- **Cooperation**: We appreciate your cooperation and collaboration throughout
|
||||
the disclosure process. We will do our best to keep you informed of our
|
||||
progress and coordinate the release of information with you.
|
||||
|
||||
- **Respect**: Please respect our users' privacy and refrain from any actions
|
||||
that could cause harm or disrupt our systems. We ask that you do not exploit
|
||||
or disclose vulnerabilities before they have been resolved.
|
||||
|
||||
By following these guidelines, you can help us maintain the security and
|
||||
integrity of GNU Wget for the benefit of all users. We thank you for your
|
||||
contributions to our project and for helping to make the internet a safer place.
|
Loading…
Reference in New Issue
Block a user