Skip to content

Commit cfbc5e5

Browse files
committed
feat: add security policy document outlining vulnerability reporting and response procedures
1 parent 05f174a commit cfbc5e5

1 file changed

Lines changed: 92 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
Security updates are currently provided for the following branches:
6+
7+
| Version / Branch | Supported |
8+
| --- | --- |
9+
| `main` | Yes |
10+
| Active release branches | Yes |
11+
| Deprecated branches | No |
12+
| Archived repositories | No |
13+
14+
Security fixes are applied to `main` first. Backports to release branches are handled based on severity, exploitability, and maintenance status.
15+
16+
## Reporting a Vulnerability
17+
18+
Please do not open a public GitHub issue for security vulnerabilities.
19+
20+
To report a vulnerability, use GitHub's private vulnerability reporting feature by clicking **Report a vulnerability** on the repository Security page.
21+
22+
When reporting a vulnerability, please include:
23+
24+
- Affected repository
25+
- Affected branch or version
26+
- Vulnerability description
27+
- Steps to reproduce
28+
- Proof of concept, if available
29+
- Potential impact
30+
- Suggested fix, if known
31+
32+
We ask that reporters follow responsible disclosure and give RedTeam maintainers reasonable time to investigate and remediate before public disclosure.
33+
34+
## Response Timeline
35+
36+
| Severity | Acknowledgement | Initial Assessment | Target Resolution |
37+
| --- | --- | --- | --- |
38+
| Critical | 1 business day | 3 business days | As soon as possible |
39+
| High | 2 business days | 5 business days | 14 business days |
40+
| Medium | 5 business days | 10 business days | 30 days |
41+
| Low | 10 business days | 15 business days | Best effort |
42+
43+
Timelines may vary depending on complexity, dependency ownership, upstream fixes, and release coordination.
44+
45+
## Scope
46+
47+
The following are in scope:
48+
49+
- Vulnerabilities in RedTeam-owned source code
50+
- Vulnerable dependencies used by RedTeam repositories
51+
- GitHub Actions workflow vulnerabilities
52+
- Dockerfile or container security issues
53+
- Authentication or authorization issues
54+
- Access control problems
55+
- Sensitive data exposure
56+
- Secret leakage in repository history or workflows
57+
58+
## Out of Scope
59+
60+
The following are out of scope:
61+
62+
- Social engineering
63+
- Physical attacks
64+
- Denial-of-service testing
65+
- Spam or phishing reports unrelated to RedTeam code
66+
- Issues requiring compromised accounts
67+
- Reports from automated scanners without clear impact
68+
- Missing security headers on non-production systems
69+
- Vulnerabilities in third-party services not controlled by RedTeam
70+
71+
## Disclosure Process
72+
73+
After receiving a report, RedTeam maintainers will:
74+
75+
1. Acknowledge the report.
76+
2. Validate and reproduce the issue.
77+
3. Determine severity and affected versions.
78+
4. Develop and test a fix.
79+
5. Release a patch or mitigation.
80+
6. Credit the reporter if requested and appropriate.
81+
82+
## Security Updates
83+
84+
Security fixes may be released through:
85+
86+
- Direct commits to the default branch
87+
- Patch releases
88+
- Dependency update pull requests
89+
- GitHub Security Advisories
90+
- Release notes or changelog entries
91+
92+
Thank you for helping keep RedTeam secure.

0 commit comments

Comments
 (0)