Skip to content

Latest commit

 

History

History
65 lines (44 loc) · 3.82 KB

SECURITY.md

File metadata and controls

65 lines (44 loc) · 3.82 KB

Security Policy

GatewayD appreciates community feedback and responsible reporting of any vulnerability that may have been found.

Supported Versions

GatewayD Labs / https://gatewayd.io GatewayD Labs is behind the free and open-source project GatewayD, a cloud-native database gateway and framework for building data-driven applications [email protected]

Version Supported
All

Reporting a Vulnerability

The GatewayD research team is dedicated to working closely with the open source community and with projects that are affected by a vulnerability, in order to protect users and ensure a coordinated disclosure. When we identify a vulnerability in a project, we will report it by contacting the publicly-listed security contact for the project if one exists; otherwise we will attempt to contact the project maintainers directly.

If the project team responds and agrees the issue poses a security risk, we will work with the project security team or maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing detailed information about the vulnerability.

Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team.

We appreciate the hard work maintainers put into fixing vulnerabilities and understand that sometimes more time is required to properly address an issue. We want project maintainers to succeed and because of that we are always open to discuss our disclosure policy to fit your specific requirements, when warranted.

Vulnerability Report (Suggested Format)

I identified potential security vulnerabilities in GatewayD.

I am committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues.

If at any point you have concerns or questions about this process, please do not hesitate to reach out to me at [email].

If you are NOT the correct point of contact for this report, please let me know!

Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

Product
GatewayD (or specific plugin)

Tested Version
[version]

Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability

Impact
[impact]

Remediation
Propose a remediation suggestion if you have one. Make it clear that this is just a suggestion, as the maintainer might have a better idea to fix the issue.

GitHub Security Advisories (please include https://github.com/mostafa)
If possible, please could you create a private GitHub Security Advisory for these findings? This allows you to invite me to collaborate and further discuss these findings in private before they are published. I will be happy to collaborate with you, and review your fix to make sure that all corner cases are covered. When you use a GitHub Security Advisory, you can request a CVE identification number from GitHub. GitHub usually reviews the request within 72 hours, and the CVE details will be published after you make your security advisory public. Publishing a GitHub Security Advisory and a CVE will help notify the downstream consumers of your project, so they can update to the fixed version.

Credit
List all researchers who contributed to this disclosure. If you found the vulnerability with a specific tool, you can also credit this tool.

Contact
[contact]