|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +Security updates are currently provided for the following branches: |
| 6 | + |
| 7 | +| Version / Branch | Supported | |
| 8 | +| --- | --- | |
| 9 | +| `main` | Yes | |
| 10 | +| Active release branches | Yes | |
| 11 | +| Deprecated branches | No | |
| 12 | +| Archived repositories | No | |
| 13 | + |
| 14 | +Security fixes are applied to `main` first. Backports to release branches are handled based on severity, exploitability, and maintenance status. |
| 15 | + |
| 16 | +## Reporting a Vulnerability |
| 17 | + |
| 18 | +Please do not open a public GitHub issue for security vulnerabilities. |
| 19 | + |
| 20 | +To report a vulnerability, use GitHub's private vulnerability reporting feature by clicking **Report a vulnerability** on the repository Security page. |
| 21 | + |
| 22 | +When reporting a vulnerability, please include: |
| 23 | + |
| 24 | +- Affected repository |
| 25 | +- Affected branch or version |
| 26 | +- Vulnerability description |
| 27 | +- Steps to reproduce |
| 28 | +- Proof of concept, if available |
| 29 | +- Potential impact |
| 30 | +- Suggested fix, if known |
| 31 | + |
| 32 | +We ask that reporters follow responsible disclosure and give RedTeam maintainers reasonable time to investigate and remediate before public disclosure. |
| 33 | + |
| 34 | +## Response Timeline |
| 35 | + |
| 36 | +| Severity | Acknowledgement | Initial Assessment | Target Resolution | |
| 37 | +| --- | --- | --- | --- | |
| 38 | +| Critical | 1 business day | 3 business days | As soon as possible | |
| 39 | +| High | 2 business days | 5 business days | 14 business days | |
| 40 | +| Medium | 5 business days | 10 business days | 30 days | |
| 41 | +| Low | 10 business days | 15 business days | Best effort | |
| 42 | + |
| 43 | +Timelines may vary depending on complexity, dependency ownership, upstream fixes, and release coordination. |
| 44 | + |
| 45 | +## Scope |
| 46 | + |
| 47 | +The following are in scope: |
| 48 | + |
| 49 | +- Vulnerabilities in RedTeam-owned source code |
| 50 | +- Vulnerable dependencies used by RedTeam repositories |
| 51 | +- GitHub Actions workflow vulnerabilities |
| 52 | +- Dockerfile or container security issues |
| 53 | +- Authentication or authorization issues |
| 54 | +- Access control problems |
| 55 | +- Sensitive data exposure |
| 56 | +- Secret leakage in repository history or workflows |
| 57 | + |
| 58 | +## Out of Scope |
| 59 | + |
| 60 | +The following are out of scope: |
| 61 | + |
| 62 | +- Social engineering |
| 63 | +- Physical attacks |
| 64 | +- Denial-of-service testing |
| 65 | +- Spam or phishing reports unrelated to RedTeam code |
| 66 | +- Issues requiring compromised accounts |
| 67 | +- Reports from automated scanners without clear impact |
| 68 | +- Missing security headers on non-production systems |
| 69 | +- Vulnerabilities in third-party services not controlled by RedTeam |
| 70 | + |
| 71 | +## Disclosure Process |
| 72 | + |
| 73 | +After receiving a report, RedTeam maintainers will: |
| 74 | + |
| 75 | +1. Acknowledge the report. |
| 76 | +2. Validate and reproduce the issue. |
| 77 | +3. Determine severity and affected versions. |
| 78 | +4. Develop and test a fix. |
| 79 | +5. Release a patch or mitigation. |
| 80 | +6. Credit the reporter if requested and appropriate. |
| 81 | + |
| 82 | +## Security Updates |
| 83 | + |
| 84 | +Security fixes may be released through: |
| 85 | + |
| 86 | +- Direct commits to the default branch |
| 87 | +- Patch releases |
| 88 | +- Dependency update pull requests |
| 89 | +- GitHub Security Advisories |
| 90 | +- Release notes or changelog entries |
| 91 | + |
| 92 | +Thank you for helping keep RedTeam secure. |
0 commit comments