31 lines
1.7 KiB
Markdown
31 lines
1.7 KiB
Markdown
# Security Policy
|
|
|
|
## Scope
|
|
|
|
This security policy applies to :
|
|
- Crowdsec agent
|
|
- Crowdsec Local API
|
|
- Crowdsec bouncers **developed and maintained** by the Crowdsec team [1]
|
|
|
|
Reports regarding developements of community members that are not part of the crowdsecurity organization will be thoroughly investigated nonetheless.
|
|
|
|
[1] Projects developed and maintained by the Crowdsec team are under the **crowdsecurity** github organization. Bouncers developed by community members that are not part of the Crowdsec organization are explictely excluded.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
We are extremely grateful to security researchers and users that report vulnerabilities regarding the Crowdsec project. All reports are thoroughly investigated by members of the Crowdsec organization.
|
|
|
|
You can email the private [security@crowdsec.net](mailto:security@crowdsec.net) list with the security details and the details expected for [all Crowdsec bug reports](https://github.com/crowdsecurity/crowdsec/blob/master/.github/ISSUE_TEMPLATE/bug_report.md).
|
|
|
|
You may encrypt your email to this list using the GPG key of the [Security team](https://doc.crowdsec.net/docs/next/contact_team). Encryption using GPG is NOT required to make a disclosure.
|
|
|
|
## When Should I Report a Vulnerability?
|
|
|
|
- You think you discovered a potential security vulnerability in Crowdsec
|
|
- You are unsure how a vulnerability affects Crowdsec
|
|
- You think you discovered a vulnerability in another project that Crowdsec depends on
|
|
|
|
For projects with their own vulnerability reporting and disclosure process, please report it directly there.
|
|
|
|
|
|
<!-- Very heavily inspired from https://kubernetes.io/docs/reference/issues-security/security/ -->
|