hasura/graphql-engine
1
0
Fork 0
mirror of https://github.com/hasura/graphql-engine.git synced 2024-12-18 13:02:11 +03:00
Code Issues Projects Releases Wiki Activity
2b2145d024
graphql-engine/docs/graphql/manual/security-disclosure/index.rst

64 lines
3.0 KiB
ReStructuredText
Raw Normal View History

docs: add meta descriptions to pages (#3631)
2020-01-14 15:57:45 +03:00
.. meta::
:description: Hasura security vulnerability reporting and disclosure
:keywords: hasura, docs, security, security disclosure, vulnerability
docs: replace doc with ref (close #4054) (#4068)
2020-03-11 22:42:36 +03:00
.. _security_vulnerability:
docs: add security announce mailing list (#2923)
2019-09-23 14:12:47 +03:00
Security vulnerability reporting and disclosure
===============================================
.. contents:: Table of contents
:backlinks: none
:depth: 1
:local:
.. inspired and adapted from https://kubernetes.io/docs/reference/issues-security/security/ (https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md)
This page describes the Hasura security vulnerability reporting and disclosure process.
Security announcements
----------------------
Join the `Hasura Security Announcements <https://groups.google.com/forum/#!forum/hasura-security-announce>`_ group for emails about security announcements.
Reporting vulnerabilities
-------------------------
Were extremely grateful for security researchers and users that report vulnerabilities to the Hasura community. All reports are thoroughly investigated by the project's maintainers.
To report a security issue, please email us at build@hasura.io with all the details, attaching all necessary information.
When should I report a vulnerability?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- You think you have discovered a potential security vulnerability in the Hasura GraphQL engine or related components.
- You are unsure how a vulnerability affects the Hasura GraphQL engine.
- You think you discovered a vulnerability in another project that Hasura GraphQL engine depends on (e.g. Heroku, Docker, etc).
- You want to report any other security risk that could potentially harm Hasura GraphQL engine users.
When should I NOT report a vulnerability?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- You need help tuning Hasura GraphQL engine components for security.
- You need help applying security related updates.
- Your issue is not security related.
Vulnerability report response
-----------------------------
Each vulnerability report is acknowledged and analyzed by the projects maintainers within 3 working days.
The reporter will be kept updated at every stage of the issues analysis and resolution (triage -> fix -> release).
Vulnerability public disclosure timing
--------------------------------------
A public disclosure date in case a vulnerability is discovered is negotiated by the Hasura team and the bug submitter.
We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available.
It is reasonable to delay disclosure when the vulnerability or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination.
The time frame for disclosure is from immediate (especially if its already publicly known) to a few weeks.
Though, we expect the time frame between a report to a public disclosure to typically be in the order of 7 days.
docs: add meta descriptions to pages (#3631)
2020-01-14 15:57:45 +03:00
The Hasura GraphQL engine maintainers will take the final call on setting a disclosure date.
Reference in New Issue Copy Permalink