134ac2e68c
* add security.md * add metrics and config show
30 lines
No EOL
1.7 KiB
Markdown
30 lines
No EOL
1.7 KiB
Markdown
# Security Policy
|
|
|
|
## Scope
|
|
|
|
This security policy applies to :
|
|
- Crowdsec agent
|
|
- Crowdsec Local API
|
|
- Crowdsec bouncers **developped and maintained** by Crowdsec's team [1]
|
|
|
|
Reports regarding developpements of community members that are not part of the crowdsecurity organization will be thoroughly investigated nontheless.
|
|
|
|
[1] Projects developped and maintained by the Crowdsec team are under the **crowdsecurity** github organization. Bouncers developped by community members that are not part of the Crowdsec organization are explictely excluded.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
We're extremely grateful for security researchers and users that report vulnerabilities regarding the Crowdsec project. All reports are thoroughly investigated by members of the Crowdsec organization.
|
|
|
|
You can email the private [security@crowdsec.net](mailto:security@crowdsec.net) list with the security details and the details expected for [all Crowdsec bug reports](https://github.com/crowdsecurity/crowdsec/blob/master/.github/ISSUE_TEMPLATE/bug_report.md).
|
|
|
|
You may encrypt your email to this list using the GPG key of the [Security team](https://doc.crowdsec.net/docs/next/contact_team). Encryption using GPG is NOT required to make a disclosure.
|
|
|
|
## When Should I Report a Vulnerability?
|
|
|
|
- You think you discovered a potential security vulnerability in Crowdsec
|
|
- You are unsure how a vulnerability affects Crowdsec
|
|
- You think you discovered a vulnerability in another project that Crowdsec depends on
|
|
- For projects with their own vulnerability reporting and disclosure process, please report it directly there
|
|
|
|
|
|
<!-- Very heavily inspired from https://kubernetes.io/docs/reference/issues-security/security/ --> |