crowdsec/security.MD

# Security Policy

## Scope

This security policy applies to :
 - Crowdsec agent
 - Crowdsec Local API
 - Crowdsec bouncers **developped and maintained** by Crowdsec's team [1]

Reports regarding developpements of community members that are not part of the crowdsecurity organization will be thoroughly investigated nontheless.

[1] Projects developped and maintained by the Crowdsec team are under the **crowdsecurity** github organization. Bouncers developped by community members that are not part of the Crowdsec organization are explictely excluded.

## Reporting a Vulnerability

We're extremely grateful for security researchers and users that report vulnerabilities regarding the Crowdsec project. All reports are thoroughly investigated by members of the Crowdsec organization.

You can email the private [security@crowdsec.net](mailto:security@crowdsec.net) list with the security details and the details expected for [all Crowdsec bug reports](https://github.com/crowdsecurity/crowdsec/blob/master/.github/ISSUE_TEMPLATE/bug_report.md).

You may encrypt your email to this list using the GPG key of the [Security team](https://doc.crowdsec.net/docs/next/contact_team). Encryption using GPG is NOT required to make a disclosure.

## When Should I Report a Vulnerability? 

 - You think you discovered a potential security vulnerability in Crowdsec
 - You are unsure how a vulnerability affects Crowdsec
 - You think you discovered a vulnerability in another project that Crowdsec depends on
   - For projects with their own vulnerability reporting and disclosure process, please report it directly there


<!-- Very heavily inspired from https://kubernetes.io/docs/reference/issues-security/security/ -->
Issues templates improvements (#1629) * add security.md * add metrics and config show 2022-07-06 11:53:30 +00:00			`# Security Policy`

			`## Scope`

			`This security policy applies to :`
			`- Crowdsec agent`
			`- Crowdsec Local API`
			`- Crowdsec bouncers developped and maintained by Crowdsec's team [1]`

			`Reports regarding developpements of community members that are not part of the crowdsecurity organization will be thoroughly investigated nontheless.`

			`[1] Projects developped and maintained by the Crowdsec team are under the crowdsecurity github organization. Bouncers developped by community members that are not part of the Crowdsec organization are explictely excluded.`

			`## Reporting a Vulnerability`

			`We're extremely grateful for security researchers and users that report vulnerabilities regarding the Crowdsec project. All reports are thoroughly investigated by members of the Crowdsec organization.`

			`You can email the private [security@crowdsec.net](mailto:security@crowdsec.net) list with the security details and the details expected for [all Crowdsec bug reports](https://github.com/crowdsecurity/crowdsec/blob/master/.github/ISSUE_TEMPLATE/bug_report.md).`

			`You may encrypt your email to this list using the GPG key of the [Security team](https://doc.crowdsec.net/docs/next/contact_team). Encryption using GPG is NOT required to make a disclosure.`

			`## When Should I Report a Vulnerability?`

			`- You think you discovered a potential security vulnerability in Crowdsec`
			`- You are unsure how a vulnerability affects Crowdsec`
			`- You think you discovered a vulnerability in another project that Crowdsec depends on`
			`- For projects with their own vulnerability reporting and disclosure process, please report it directly there`


			`<!-- Very heavily inspired from https://kubernetes.io/docs/reference/issues-security/security/ -->`