- Security Policies for Open Source Repos by Aquia
- Overview
- Security Vulnerability Reporting
- Security Vulnerability Response
- Disclosures
- Attributions
We are grateful for every contributor to our repositories, and want to maintain security standards that reflect an awareness of the space that we participate in. To value the time, safety, and security of our code bases, please adhere to the following security practices. This document outlines the processes that govern repositories created, maintained, and owned by Aquia.
If you would like to report a vulnerability in this or any Aquia maintained repositories, or have security concerns, please email [email protected]. Please do not create a GitHub issue with the matching report.
In order for us to best respond to your report, please include any of the following:
- Steps to reproduce or proof-of-concept
- Any relevant tools, including versions used
- Tool output
Each report will be reviewed and receipt acknowledged within 5 business days. This will set off the security review process detailed below.
Any vulnerability information shared with the security team stays within the Maintainers of this project and will not be shared with others unless it is necessary to fix the issue. Information is shared only on a need to know basis.
We ask that vulnerability reporter(s) act in good faith by not disclosing the issue to others. And we strive to act in good faith by acting swiftly, and by justly crediting the vulnerability reporter(s) in writing.
As the security issue moves through triage, identification, and release the reporter of the security vulnerability will be notified. Additional questions about the vulnerability may also be asked of the reporter.
Vulnerability disclosures are published as blog posts on the Aquia Blog. The disclosures will contain an overview, details about the vulnerability, a fix for the vulnerability that will typically be an update, and optionally a workaround if one is available.
We follow GitHub's standard process for disclosing vulnerabilities in the industry.
Disclosures will be published on the same day as a release fixing the vulnerability after the release is published.
This language in this document was written with inspiration from several open source projects. The language used in these projects reflects the responsibility of contributors and maintainers to uphold a level of conduct in the community. We thanks the following groups: