Update SECURITY.md

This commit is contained in:
Timothy Jaeryang Baek 2024-08-19 09:18:40 -05:00 committed by GitHub
parent b4de0a52f8
commit ec99ac7121
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 10 additions and 2 deletions

View File

@ -9,10 +9,18 @@ Our primary goal is to ensure the protection and confidentiality of sensitive da
| main | :white_check_mark: |
| others | :x: |
## Zero Tolerance for External Platforms
Based on a precedent of an unacceptable degree of spamming and unsolicited communications from third-party platforms, we forcefully reaffirm our stance. **We refuse to engage with, join, or monitor any platforms outside of GitHub for vulnerability reporting.** Our reasons are not just procedural but are deep-seated in the ethos of our project, which champions transparency and direct community interaction inherent in the open-source culture. Any attempts to divert our processes to external platforms will be met with outright rejection. This policy is non-negotiable and understands no exceptions.
Any reports or solicitations arriving from sources other than our designated GitHub repository will be dismissed without consideration. Weve seen how external engagements can dilute and compromise the integrity of community-driven projects, and were not here to gamble with the security and privacy of our user community.
## Reporting a Vulnerability
We appreciate the community's interest in identifying potential vulnerabilities. However, effective immediately, we will **not** accept low-effort vulnerability reports. To ensure that submissions are constructive and actionable, please adhere to the following guidelines:
Reports not submitted through our designated GitHub repository will be disregarded, and we will categorically reject invitations to collaborate on external platforms. Our aggressive stance on this matter underscores our commitment to a secure, transparent, and open community where all operations are visible and contributors are accountable.
1. **No Vague Reports**: Submissions such as "I found a vulnerability" without any details will be treated as spam and will not be accepted.
2. **In-Depth Understanding Required**: Reports must reflect a clear understanding of the codebase and provide specific details about the vulnerability, including the affected components and potential impacts.
@ -23,7 +31,7 @@ We appreciate the community's interest in identifying potential vulnerabilities.
5. **Streamlined Merging Process**: When vulnerability reports meet the above criteria, we can consider them for immediate merging, similar to regular pull requests. Well-structured and thorough submissions will expedite the process of enhancing our security.
Submissions that do not meet these criteria will be closed, and repeat offenders may face a ban from future submissions. We aim to create a respectful and constructive reporting environment, where high-quality submissions foster better security for everyone.
**Non-compliant submissions will be closed, and repeat violators may be banned.** Our goal is to foster a constructive reporting environment where quality submissions promote better security for all users.
## Product Security
@ -33,4 +41,4 @@ For immediate concerns or detailed reports that meet our guidelines, please crea
---
_Last updated on **2024-08-06**._
_Last updated on **2024-08-19**._