-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
59 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -111,3 +111,7 @@ Documentation | |
| --------------- | ||
|
|
||
| For more information, refer to the `document <https://aliyuncontainerservice.github.io/ack-ram-tool/>`__. | ||
|
|
||
| Security | ||
| ------------- | ||
| Please report vulnerabilities by email to [email protected]. Also see our `SECURITY.md <./SECURITY.md>`__ file for details. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -106,3 +106,6 @@ RAM Roles for Service Accounts (RRSA) | |
|
|
||
| 更多信息详见 `文档 <https://aliyuncontainerservice.github.io/ack-ram-tool/>`__ | ||
|
|
||
| 安全 | ||
| -------- | ||
| 对于发现的安全漏洞,请邮件发送至[email protected],您可在`SECURITY.md <./SECURITY.md>`__文件中找到更多信息。 | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Security Policy | ||
|
|
||
| - [Security Policy](#security-policy) | ||
| - [Reporting security problems](#reporting-security-problems) | ||
| - [Vulnerability Management Plans](#vulnerability-management-plans) | ||
| - [Critical Updates And Security Notices](#critical-updates-and-security-notices) | ||
|
|
||
| ## Reporting security problems | ||
|
|
||
| **DO NOT CREATE AN ISSUE** to report a security problem. Instead, please | ||
| send an email to [email protected] | ||
|
|
||
| Please follow the [embargo policy](./embargo-policy.md) for all security-related problems. | ||
|
|
||
| ## Vulnerability Management Plans | ||
|
|
||
| ### Critical Updates And Security Notices | ||
|
|
||
| We learn about critical software updates and security threats from these sources | ||
|
|
||
| 1. GitHub Security Alerts | ||
| 2. [Dependabot](https://dependabot.com/) Dependency Updates |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # Embargo Policy | ||
|
|
||
| This policy forbids members of this project's security contacts any others | ||
| defined below from sharing information outside of the security contacts and this | ||
| listing without need-to-know and advance notice. | ||
|
|
||
| The information members and others receive from the list defined below must: | ||
|
|
||
| * not be made public, | ||
| * not be shared, | ||
| * not be hinted at | ||
| * must be kept confidential and close held | ||
|
|
||
| Except with the list's explicit approval. This holds true until the public | ||
| disclosure date/time that was agreed upon by the list. | ||
|
|
||
| If information is inadvertently shared beyond what is allowed by this policy, | ||
| you are REQUIRED to inform the security contacts [email protected] of exactly what | ||
| information leaked and to whom. A retrospective will take place after the leak | ||
| so we can assess how to not make this mistake in the future. | ||
|
|
||
| Violation of this policy will result in the immediate removal and subsequent | ||
| replacement of you from this list or the Security Contacts. | ||
|
|
||
| ## Disclosure Timeline | ||
|
|
||
| This project sustains a **disclosure timeline** to ensure we provide a | ||
| quality, tested release. On some occasions, we may need to extend this timeline | ||
| due to complexity of the problem, lack of expertise available, or other reasons. | ||
| Submitters will be notified if an extension occurs. |