Skip to content

Repo File Sync: synced file(s) with Contrast-Security-OSS/common-artifacts #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
contrast-oss-sync-bot wants to merge 1 commit into
base: master
Choose a base branch
from
+54 −0
Open

Repo File Sync: synced file(s) with Contrast-Security-OSS/common-artifacts #39

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# Security Policy

Contrast Security is committed to the security of our users and our open-source software. We appreciate the efforts of security researchers who help us keep our products safe.

## Supported Versions

We actively support and provide security updates for the following versions of our projects. If you are using a version not listed below, please upgrade to a supported version.

| Version | Supported |
| ------- | ------------------ |
| < 1.0.0 | ✅ Supported |
| 0.x.x | ❌ Not Supported |

## Reporting a Vulnerability

**Please do not report security vulnerabilities through public GitHub issues.**

We offer two ways to report a vulnerability:

### 1. Private Vulnerability Reporting (Preferred)
The easiest way to report a vulnerability is via GitHub's [Private Vulnerability Reporting](https://docs.github.com/en/code-security/how-tos/report-and-fix-vulnerabilities/privately-reporting-a-security-vulnerability) feature. Navigate to the **"Security"** tab of the specific repository and click **"Report a vulnerability"**.

### 2. Email
Alternatively, you can email your report to [security@contrastsecurity.com](mailto:security@contrastsecurity.com).

For more details on our processes, please see our official [Vulnerability Disclosure Policy](https://www.contrastsecurity.com/disclosure-policy).

### What to include in your report:
* A description of the vulnerability and its potential impact.
* A clear, step-by-step guide to reproducing the issue (PoC scripts or screenshots are helpful).
* The version of the software affected.

## Our Response Process

Contrast takes every report seriously. After you submit a report:

* **Acknowledgment:** We will acknowledge receipt of your report within 2 business days.
* **Investigation:** Our security team will investigate the report and may reach out for more information.
* **Updates:** We will keep you informed of our progress as we work toward a fix.
* **Disclosure:** We follow coordinated disclosure. We ask that you do not share the vulnerability publicly until we have released a fix and an official announcement.

## Policy on Dependency Updates

To ensure the stability of our ecosystem, we follow a **7-day "soak" period** for most dependency updates. This allows the community to identify any "left-of-vulnerability" issues or regressions in new upstream releases before we integrate them.

If you have specific concerns regarding a high-severity CVE in one of our dependencies, please contact us at the email above.

## Third-Party Modules

Reports regarding security bugs in third-party modules should be directed to the person or team maintaining that specific module. However, if a third-party vulnerability creates a direct risk to a Contrast project, please let us know.

## Learning More

To learn more about securing your applications with Contrast, please visit [our documentation](https://docs.contrastsecurity.com/?lang=en).
Loading