Skip to content

Latest commit

 

History

History
51 lines (48 loc) · 3.16 KB

vulnerability-reporting.md

File metadata and controls

51 lines (48 loc) · 3.16 KB
Raw

Vulnerability Reporting

The "vulnerability-reporting" section provides policies and procedures about how to report properly a security issue. In this section, security researchers can easily find information about the security policy, contacts, bug bounty program, and in-scope and out-of-scope areas. This section is required. It is strongly recommended - if the project is maintained and active - to accept vulnerability reports and have a security policy (e.g., SECURITY.md).

vulnerability-reporting:
  accepts-vulnerability-reports: true
  email-contact: [email protected]
  security-policy: https://foo.bar/reporting.html
  bug-bounty-available: true
  bug-bounty-url: https://foo.bar/bugs.html
  in-scope:
  - broken access control
  - other
  out-scope:
  - other
  pgp-key: |
    your-key-here
  comment: |
    Lorum ipsum...
  • accepts-vulnerability-reports (Required)
    • Description: Define whether the project maintainers or security team accept security reports or not. If the project is active or maintained, it is highly recommended to set true.
    • Type: Boolean.
  • bug-bounty-available
    • Description: Define if a bug bounty program is in-place or not.
    • Type: Boolean.
  • bug-bounty-url
    • Description: URI to the bug bounty program, if it is public.
    • Type: String. The provided URL must meet the IRI standard (RFC 3987) and begin with https://.
  • email-contact (Conditionally required)
    • Description: E-mail contact to report vulnerabilities or other related information.
    • Type: String. The provided email must meet the format idn-email.
    • Condition: This value is required if accepts-vulnerability-reports is true.
  • security-policy (Conditionally required)
    • Description: URI to the project security policy or similar document (SECURITY.md, security.txt, etc.).
    • Type: String. The provided URL must meet the IRI standard (RFC 3987) and begin with https://.
    • Condition: This value is required if accepts-vulnerability-reports is true.
  • pgp-key
    • Description:
    • Type: String. The provided PGP key must start with ----BEGIN PGP PUBLIC KEY BLOCK-----, and must end with -----END PGP PUBLIC KEY BLOCK-----.
  • in-scope
    • Description: In-scope vulnerability categories, according to OWASP Top 10 2021. It is recommended to specify better a in-scope list in the security policy or in bug bounty program.
    • Type: Array. Every element must match one of the values defined in the field enum of the schema.
  • out-scope
    • Description: Out-of-scope vulnerability categories, according to OWASP Top 10 2021. It is recommended to specify better a out-of-scope list in the security policy or in bug bounty program.
    • Type: Array. Every element must match one of the values defined in the field enum of the schema.
  • comment
    • Descriotion: If you have added anything to the lists of in or out of scope vulnerabilities, please explain the reasoning here. Other information may also be valuable here, such as the preferred contact method if multiple options are provided in your security policy.
    • Type: String. At most 560 characters.