enso/docs/SECURITY.md
2020-07-01 15:26:49 +01:00

2.2 KiB

layout title category tags order
developer-doc Security Policy summary
summary
security
vulnerability
report
4

Security Policy

This document outlines the security policy for Enso and its libraries.

If you believe that you have found a vulnerability in Enso or one of its libraries, please see the section on reporting a vulnerability below.

Supported Versions

Security updates for Enso are provided for the versions shown below with a next to them. No other versions have security updates provided.

Version Supported
main@HEAD
wip/*

Please see our release policy for more information on how we support released versions.

Reporting a Vulnerability

If you believe that you've found a security vulnerability in the Enso codebase or one of the libraries maintained in this repository, please contact security@enso.org and provide details of the bug.

You can expect an update on a reported vulnerability within one business day, and the timeline works as follows:

  1. We analyse your report to determine the risk posed by the vulnerability, and our further steps forward. This may involve asking for more information.
  2. We will email the submitter with our verdict as to whether it is, or isn't a vulnerability, as well as the severity if it is.
  3. We plan and outline any steps necessary to fixing the bug, including the timeline for fixing the vulnerability within 90 days.
  4. We will communicate the planned fix with the person who submitted the vulnerability report.
  5. We will fix the bug and communicate with the submitter when the fix has landed on main, and when it has been backported to the above supported versions.
  6. The submitted may then disclose the bug publicly.

All communication will take place via email with a member of our team.