This document describes our security policies and procedures for responsibly disclosing and handling security issues.
If you want to report a bug which is NOT security sensible please submit an issue.
We take all security issues seriously and appreciates your help in improving the security of the project by responsible disclosure.
Our team will acknowledge your effort as good as we can, though we can not offer a bug bounty for now.
In case you found a security issue, please report it to [email protected].
We will confirm your email within one business day and will follow up within 48 hours, with a more detailed response on
our progress in handling your report.
After these first steps, we will keep you informed about our progress until the issue is resolved and may request
additional information from you.
Please check if the issue is part of our project or of the included third-party components before reporting.
Security issues in third-party project should be reported to the concerning project.
Our security policy defines the internal process for dealing with disclosures and aims to enable a robust and efficient handling of the reports.
The email address for responsible disclosures is managed by two team members with
a background on security.
Each one is responsible for monitoring the inbox on work days and must prioritize evaluating and handling the incoming
reports over other work.
This is done in consultation with the other responsible team member to avoid redundant work or communication.
In the following we will refer to both by the term security team standing for at least one of the responsible team members.
The security team handles the incoming reports.
This contains:
- understanding and verifying the bug / problem described in the report
- estimating the severity of the security issue
- acknowledging the report by responding to the reporting person within one work day
- creating a fix for the bug and committing it to the repository
- optional: documenting the fixed security issue as a security advisory
- communicating every mayor step in the process to the reporting person
For reports with a high severity, the security team takes the appropriate actions immediately and reports to the team
afterwards.
The security team is trusted to decide which immediate actions are suitable for this situation. This shall provide the necessary flexibility for quick actions to avoid harm.
For security bugs that are not considered severe, the security team handles the report within the stated time period and
discusses implications of the fix with the team if necessary.
If you have any suggestions to our responsible disclosure process or the security policy, do not hesitate to contact us or even submit a pull request!