Define responsible disclosure policy
This commit is contained in:
vishnukvmd
parent
e0b952e516
commit
61e6e0ffaa
1 changed files with 50 additions and 0 deletions
50
SECURITY.md
Normal file
50
SECURITY.md
Normal file
|
|
@ -0,0 +1,50 @@
|
||||||
|
ente believes that working with security researchers across the globe is crucial
|
||||||
|
to keeping our users safe. If you believe you've found a security issue in our
|
||||||
|
product or service, we encourage you to notify us (security@ente.io). We welcome
|
||||||
|
working with you to resolve the issue promptly. Thanks in advance!
|
||||||
|
|
||||||
|
# Disclosure Policy
|
||||||
|
|
||||||
|
- Let us know as soon as possible upon discovery of a potential security issue,
|
||||||
|
and we'll make every effort to quickly resolve the issue.
|
||||||
|
- Provide us a reasonable amount of time to resolve the issue before any
|
||||||
|
disclosure to the public or a third-party. We may publicly disclose the issue
|
||||||
|
before resolving it, if appropriate.
|
||||||
|
- Make a good faith effort to avoid privacy violations, destruction of data, and
|
||||||
|
interruption or degradation of our service. Only interact with accounts you
|
||||||
|
own or with explicit permission of the account holder.
|
||||||
|
- If you would like to encrypt your report, please use the PGP key with long ID
|
||||||
|
`E273695C0403F34F74171932DF6DDDE98EBD2394` (available in the public keyserver
|
||||||
|
pool).
|
||||||
|
|
||||||
|
# In-scope
|
||||||
|
|
||||||
|
- Security issues in any current release of ente. This includes the web app,
|
||||||
|
desktop app, and mobile apps (iOS and Android). Product downloads are
|
||||||
|
available at https://ente.io. Source code is available at
|
||||||
|
https://github.com/ente-io.
|
||||||
|
|
||||||
|
# Exclusions
|
||||||
|
|
||||||
|
The following bug classes are out-of scope:
|
||||||
|
|
||||||
|
- Bugs that are already reported on any of ente's issue trackers
|
||||||
|
(https://github.com/ente-io), or that we already know of. Note that some of
|
||||||
|
our issue tracking is private.
|
||||||
|
- Issues in an upstream software dependency (ex: Flutter, Next.js etc) which are
|
||||||
|
already reported to the upstream maintainer.
|
||||||
|
- Attacks requiring physical access to a user's device.
|
||||||
|
- Self-XSS
|
||||||
|
- Issues related to software or protocols not under ente's control
|
||||||
|
- Vulnerabilities in outdated versions of ente
|
||||||
|
- Missing security best practices that do not directly lead to a vulnerability
|
||||||
|
- Issues that do not have any impact on the general public
|
||||||
|
|
||||||
|
While researching, we'd like to ask you to refrain from:
|
||||||
|
|
||||||
|
- Denial of service
|
||||||
|
- Spamming
|
||||||
|
- Social engineering (including phishing) of ente staff or contractors
|
||||||
|
- Any physical attempts against ente property or data centers
|
||||||
|
|
||||||
|
Thank you for helping keep ente and our users safe!
|
||||||
Loading…
Reference in a new issue