github.com/gramework/gramework@v1.8.1-0.20231027140105-82555c9057f5/docs/SECURITY.md

github.com/gramework/gramework@v1.8.1-0.20231027140105-82555c9057f5/docs/SECURITY.md (about)

     1  ### TL;DR
     2  
     3  We use a simplified version of [Golang Security Policy](https://golang.org/security).
     4  For example, for now we skip CVE assignment.
     5  
     6  ### Reporting a Security Bug
     7  
     8  Please report to us any issues you find. This document explains how to do that and what to expect in return.
     9  
    10  All security bugs in our releases should be reported by email to oss-security@highload.solutions.
    11  This mail is delivered to a small security team.
    12  Your email will be acknowledged within 24 hours, and you'll receive a more detailed response
    13  to your email within 72 hours indicating the next steps in handling your report.
    14  For critical problems, you can encrypt your report using our PGP key (listed below).
    15  
    16  Please use a descriptive subject line for your report email.
    17  After the initial reply to your report, the security team will
    18  endeavor to keep you informed of the progress being made towards a fix and full announcement.
    19  These updates will be sent at least every five days.
    20  In reality, this is more likely to be every 24-48 hours.
    21  
    22  If you have not received a reply to your email within 48 hours or you have not heard from the security
    23  team for the past five days please contact us by email to developers@highload.solutions or by Telegram message
    24  to [our support](https://t.me/highload_support).
    25  Please note that developers@highload.solutions list includes all developers, who may be outside our opensource security team.
    26  When escalating on this list, please do not disclose the details of the issue.
    27  Simply state that you're trying to reach a member of the security team.
    28  
    29  ### Flagging Existing Issues as Security-related
    30  
    31  If you believe that an existing issue is security-related, we ask that you send an email to oss-security@highload.solutions.
    32  The email should include the issue ID and a short description of why it should be handled according to this security policy.
    33  
    34  ### Disclosure Process
    35  
    36  Our project uses the following disclosure process:
    37  
    38  - Once the security report is received it is assigned a primary handler. This person coordinates the fix and release process.
    39  - The issue is confirmed and a list of affected software is determined.
    40  - Code is audited to find any potential similar problems.
    41  - Fixes are prepared for the two most recent major releases and the head/master revision. These fixes are not yet committed to the public repository.
    42  - To notify users, a new issue without security details is submitted to our GitHub repository.
    43  - Three working days following this notification, the fixes are applied to the public repository and a new release is issued.
    44  - On the date that the fixes are applied, announcement is published in the issue.
    45  
    46  This process can take some time, especially when coordination is required with maintainers of other projects.
    47  Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow
    48  the process described above to ensure that disclosures are handled consistently.
    49  
    50  ### Receiving Security Updates
    51  The best way to receive security announcements is to subscribe ("Watch") to our repository.
    52  Any GitHub issues pertaining to a security issue will be prefixed with [security].
    53  
    54  ### Comments on This Policy
    55  If you have any suggestions to improve this policy, please send an email to oss-security@highload.solutions for discussion.
    56  
    57  ### PGP Key for oss-security@highload.solutions
    58  
    59  We accept PGP-encrypted email, but the majority of the security team are not regular PGP users
    60  so it's somewhat inconvenient. Please only use PGP for critical security reports.
    61  
    62  ```
    63  -----BEGIN PGP PUBLIC KEY BLOCK-----
    64  
    65  mQINBFzdjYUBEACa3YN+QVSlnXofUjxr+YrmIaF+da0IUq+TRM4aqUXALsemEdGh
    66  yIl7Z6qOOy1d2kPe6t//H9l/92lJ1X7i6aEBK4n/pnPZkwbpy9gGpebgvTZFvcbe
    67  mFhF6k1FM35D8TxneJSjizPyGhJPqcr5qccqf8R64TlQx5Ud1JqT2l8P1C5N7gNS
    68  lEYXq1h4zBCvTWk1wdeLRRPx7Bn6xrgmyu/k61dLoJDvpvWNATVFDA67oTrPgzTW
    69  xtLbbk/xm0mK4a8zMzIpNyz1WkaJW9+4HFXaL+yKlsx7iHe2O7VlGoqS0kdeQup4
    70  1HIw/P7yc0jBlNMLUzpuA6ElYUwESWsnCI71YY1x4rKgI+GqH1mWwgn7tteuXQtb
    71  Zj0vEdjK3IKIOSbzbzAvSbDt8F1+o7EMtdy1eUysjKSQgFkDlT6JRmYvEup5/IoG
    72  iknh/InQq9RmGFKii6pXWWoltC0ebfCwYOXvymyDdr/hYDqJeHS9Tenpy86Doaaf
    73  HGf5nIFAMB2G5ctNpBwzNXR2MAWkeHQgdr5a1xmog0hS125usjnUTet3QeCyo4kd
    74  gVouoOroMcqFFUXdYaMH4c3KWz0afhTmIaAsFFOv/eMdadVA4QyExTJf3TAoQ+kH
    75  lKDlbOAIxEZWRPDFxMRixaVPQC+VxhBcaQ+yNoaUkM0V2m8u8sDBpzi1OQARAQAB
    76  tDxPU1MgU2VjdXJpdHksIEhpZ2hsb2FkIExURCA8b3NzLXNlY3VyaXR5QGhpZ2hs
    77  b2FkLnNvbHV0aW9ucz6JAlQEEwEIAD4WIQRljYp380uKq2g8TeqsQcvu+Qp2TAUC
    78  XN2NhQIbAwUJB4YfgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCsQcvu+Qp2
    79  TKmED/96YoQoOjD28blFFrigvAsiNcNNZoX9I0dX1lNpD83fBJf+/9i+x4jqUnI5
    80  5XK/DFTDbhpw8kQBpxS9eEuIYnuo0RdLLp1ctNWTlpwfyHn92mGddl/uBdYHUuUk
    81  cjhIQcFaCcWRY+EpamDlv1wmZ83IwBr8Hu5FS+/Msyw1TBvtTRVKW1KoGYMYoXLk
    82  BzIglRPwn821B6s4BvK/RJnZkrmHMBZBfYMf+iSMSYd2yPmfT8wbcAjgjLfQa28U
    83  gbt4u9xslgKjuM83IqwFfEXBnm7su3OouGWqc+62mQTsbnK65zRFnx6GXRXC1BAi
    84  6m9Tm1PU0IiINz66ainquspkXYeHjd9hTwfR3BdFnzBTRRM01cKMFabWbLj8j0p8
    85  fF4g9cxEdiLrzEF7Yz4WY0mI4Cpw4eJZfsHMc07Jn7QxfJhIoq+rqBOtEmTjnxMh
    86  aWeykoXMHlZN4K0ZrAytozVH1D4bugWA9Zuzi9U3F9hrVVABm11yyhd2iSqI6/FR
    87  GcCFOCBW1kEJbzoEguub+BV8LDi8ldljHalvur5k/VFhoDBxniYNsKmiCLVCmDWs
    88  /nF84hCReAOJt0vDGwqHe3E2BFFPbKwdJLRNkjxBY0c/pvaV+JxbWQmaxDZNeIFV
    89  hFcVGp48HNY3qLWZdsQIfT9m1masJFLVuq8Wx7bYs8Et5eFnH7kCDQRc3Y2FARAA
    90  2DJWAxABydyIdCxgFNdqnYyWS46vh2DmLmRMqgasNlD0ozG4S9bszBsgnUI2Xs06
    91  J76kFRh8MMHcu9I4lUKCQzfrA4uHkiOK5wvNCaWP+C6JUYNHsqPwk/ILO3gtQ/Ws
    92  LLf/PW3rJZVOZB+WY8iaYc20l5vukTaVw4qbEi9dtLkJvVpNHt//+jayXU6s3ew1
    93  2X5xdwyAZxaxlnzFaY/Xo/qR+bZhVFC0T9pAECnHv9TVhFGp0JE9ipPGnro5xTIS
    94  LttdAkzv4AuSVTIgWgTkh8nN8t7STJqfPEv0I12nmmYHMUyTYOurkfskF3jY2x6x
    95  8l02NQ4d5KdC3ReV1j51swrGcZCwsWNp51jnEXKwo+B0NM5OmoRrNJgF2iDgLehs
    96  hP00ljU7cB8/1/7kdHZStYaUHICFOFqHzg415FlYm+jpY0nJp/b9BAO0d0/WYnEe
    97  Xjihw8EVBAqzEt4kay1BQonZAypeYnGBJr7vNvdiP+mnRwly5qZSGiInxGvtZZFt
    98  zL1E3osiF+muQxFcM63BeGdJeYXy+MoczkWa4WNggfcHlGAZkMYiv28zpr4PfrK9
    99  mvj4Nu8s71PE9pPpBoZcNDf9v1sHuu96jDSITsPx5YMvvKZWhzJXFKzk6YgAsNH/
   100  MF0G+/qmKJZpCdvtHKpYM1uHX85H81CwWJFfBPthyD8AEQEAAYkCPAQYAQgAJhYh
   101  BGWNinfzS4qraDxN6qxBy+75CnZMBQJc3Y2FAhsMBQkHhh+AAAoJEKxBy+75CnZM
   102  Rn8P/RyL1bhU4Q4WpvmlkepCAwNA0G3QvnKcSZNHEPE5h7H3IyrA/qy16A9eOsgm
   103  sthsHYlo5A5lRIy4wPHkFCClMrMHdKuoS72//qgw+oOrBcwb7Te+Nas+ewhaJ7N9
   104  vAX06vDH9bLl52CPbtats5+eBpePgP3HDPxd7CWHxq9bzJTbzqsTkN7JvoovR2dP
   105  itPJDij7QYLYVEM1t7QxUVpVwAjDi/kCtC9ts5L+V0snF2n3bHZvu04EXdpvxOQI
   106  pG/7Q+/WoI8NU6Bb/FA3tJGYIhSwI3SY+5XV/TAZttZaYSh2SD8vhc+eo+gW9sAN
   107  xa+VESBQCht9+tKIwEwHs1efoRgFdbwwJ2c+33+XydQ6yjdXoX1mn2uyCr82jorZ
   108  xTzbkY04zr7oZ+0fLpouOFg/mrSL4w2bWEhdHuyoVthLBjnRme0wXCaS3g3mYdLG
   109  nSUkogOGOOvvvBtoq/vfx0Eu79piUtw5D8yQSrxLDuz8GxCrVRZ0tYIHb26aTE9G
   110  cDsW/Lg5PjcY/LgVNEWOxDQDFVurlImnlVJFb3q+NrWvPbgeIEWwJDCay/z25SEH
   111  k3bSOXLp8YGRnlkWUmoeL4g/CCK52iAAlfscZNoKMILhBnbCoD657jpa5GQKJj/U
   112  Q8kjgr7kwV/RSosNV9HCPj30mVyiCQ1xg+ZLzMKXVCuBWd+G
   113  =lnt2
   114  -----END PGP PUBLIC KEY BLOCK-----
   115  ```