H0llyW00dzZ/fiber
H0llyW00dzZ/fiber
1
0
Fork 0
mirror of https://github.com/gofiber/fiber.git synced 2025-02-24 01:23:56 +00:00
Code Releases Activity

Merge pull request #484 from gofiber/security-policy

Browse Source 
Create SECURITY.md
This commit is contained in:
fenny 2020-06-19 00:37:27 +02:00 committed by GitHub
commit 49e1e864e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 77 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
SECURITY.md Normal file
View File

@ -0,0 +1,77 @@
# Security Policy
1. [Supported Versions](#versions)
2. [Reporting security problems to Fiber](#reporting)
3. [Security Point of Contact](#contact)
4. [Incident Response Process](#process)
<a name="versions"></a>
## Supported Versions
The table below shows the supported versions for Fiber which include security updates.
| Version | Supported |
| -------- | ------------------ |
| >= 1.9.x | :white_check_mark: |
| < 1.9.0 | :x: |
<a name="reporting"></a>
## Reporting security problems to Fiber
**DO NOT CREATE AN ISSUE** to report a security problem. Instead, please
join our discord server via [this invite link](https://discord.gg/bSnH7db)
and create a new ticket in our `#support` channel by typing
`!new Security problem`.
<a name="contact"></a>
## Security Point of Contact
The security point of contact is [Fenny](https://github.com/Fenny). Fenny responds
to security incident reports as fast as possible, within one business day at the
latest.
In case Fenny does not respond within a reasonable time, the secondary point
of contact are any of the [@maintainers](https://github.com/orgs/gofiber/teams/maintainers).
The maintainers only other persons with administrative access to Fiber's source code.
<a name="process"></a>
## Incident Response Process
In case an incident is discovered or reported, we will follow the following
process to contain, respond and remediate:
### 1. Containment
The first step is to find out the root cause, nature and scope of the incident.
- Is still ongoing? If yes, first priority is to stop it.
- Is the incident outside of our influence? If yes, first priority is to contain it.
- Find out knows about the incident and who is affected.
- Find out what data was potentially exposed.
### 2. Response
After the initial assessment and containment to our best abilities, we will
document all actions taken in a response plan.
We will create a comment in the official `#announcements` channel to inform users about
the incident and what actions we took to contain it.
### 3. Remediation
Once the incident is confirmed to be resolved, we will summarize the lessons
learned from the incident and create a list of actions we will take to prevent
it from happening again.
### Secure accounts with access
The [Fiber Organization](https://github.com/gofiber) requires 2FA authorization
for all of it's members.
### Critical Updates And Security Notices
We learn about critical software updates and security threats from these sources
1. GitHub Security Alerts
2. GitHub: https://status.github.com/ & [@githubstatus](https://twitter.com/githubstatus)
3. Travis (CI/CD): https://www.traviscistatus.com/ & [@traviscistatus](https://twitter.com/traviscistatus)