graphql-engine/docs/graphql/core/security-disclosure/index.rst

.. meta::
   :description: Hasura security vulnerability protocol
   :keywords: hasura, docs, security, security disclosure, vulnerability

.. _security_protocol:

Security Vulnerability Protocol
===============================

.. contents:: Table of contents
  :backlinks: none
  :depth: 1
  :local:

.. inspired and adapted from https://kubernetes.io/docs/reference/issues-security/security/ (https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md)

Introduction
------------

This page describes the Hasura security vulnerability reporting and disclosure process.

Security announcements
----------------------

Join the `Hasura Security Announcements <https://groups.google.com/forum/#!forum/hasura-security-announce>`__ group for emails about security announcements.

Reporting vulnerabilities
-------------------------

We’re extremely grateful for security researchers and users who report vulnerabilities to the Hasura community. All reports are thoroughly investigated by the Hasura team.

To report a security issue, please email us at build@hasura.io with details, if possible attaching relevant information. The more details we have, the quicker will we be able to fix potential vulnerabilities.

When should I report a vulnerability?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- You think you have discovered a potential security vulnerability in the Hasura GraphQL engine or related components.
- You are unsure how a vulnerability affects the Hasura GraphQL engine.
- You think you discovered a vulnerability in another project that Hasura GraphQL engine depends on (e.g. Heroku, Docker, etc).
- You want to report any other security risk that could potentially harm Hasura GraphQL engine users.

When should I NOT report a vulnerability?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- You need help tuning Hasura GraphQL engine components for security.
- You need help applying security related updates.
- Your issue is not security related.

In these cases you can join our `Discord server <https://hasura.io/discord>`__ where the community will be happy to help you out.

Vulnerability report response
-----------------------------

Each vulnerability report is acknowledged and analyzed by the Hasura team within 3 working days.

The reporter will be kept updated at every stage of the issue’s analysis and resolution (triage -> fix -> release).

Vulnerability public disclosure timing
--------------------------------------

A public disclosure date in case a vulnerability is discovered is negotiated by the Hasura team and the bug submitter.

We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available and enough of the affected instances have been upgraded.

It is reasonable to delay disclosure when the vulnerability or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination.
The time frame for disclosure is from immediate (especially if the vulnerability is already publicly known) to a few weeks.
Though, we expect the time frame between a report to a public disclosure to typically be in the order of 7 days.

In any case, the Hasura team will do their best to identify and fix any vulnerabilities as soon as possible, as well as communicate to the submitter about the progress and set a disclosure date.
-												docs: add meta descriptions to pages (#3631)


											
										
										
											2020-01-14 15:57:45 +03:00
+								.. meta::
-												docs: update security vulnerability page title (#4831)


											
										
										
											2020-05-21 09:56:38 +03:00
+								   :description: Hasura security vulnerability protocol
-												docs: add meta descriptions to pages (#3631)


											
										
										
											2020-01-14 15:57:45 +03:00
+								   :keywords: hasura, docs, security, security disclosure, vulnerability
-												docs: update security vulnerability page title (#4831)


											
										
										
											2020-05-21 09:56:38 +03:00
+								.. _security_protocol:
-												docs: replace doc with ref (close #4054) (#4068)


											
										
										
											2020-03-11 22:42:36 +03:00
-												docs: docs for remote joins (close #4911) (#5132)


											
										
										
											2020-07-08 00:47:42 +03:00
+								Security Vulnerability Protocol
-												docs: update security vulnerability page title (#4831)


											
										
										
											2020-05-21 09:56:38 +03:00
+								===============================
-												docs: add security announce mailing list (#2923)


											
										
										
											2019-09-23 14:12:47 +03:00
 								.. contents:: Table of contents
 								  :backlinks: none
 								  :depth: 1
 								  :local:
 								.. inspired and adapted from https://kubernetes.io/docs/reference/issues-security/security/ (https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md)
-												docs: update security guide (#4730)


											
										
										
											2020-05-12 15:12:51 +03:00
+								Introduction
 								------------
-												docs: add security announce mailing list (#2923)


											
										
										
											2019-09-23 14:12:47 +03:00
+								This page describes the Hasura security vulnerability reporting and disclosure process.
 								Security announcements
 								----------------------
-												docs: update links in docs (#5331)


											
										
										
											2020-07-09 11:42:33 +03:00
+								Join the `Hasura Security Announcements <https://groups.google.com/forum/#!forum/hasura-security-announce>`__ group for emails about security announcements.
-												docs: add security announce mailing list (#2923)


											
										
										
											2019-09-23 14:12:47 +03:00
 								Reporting vulnerabilities
 								-------------------------
-												docs: update security guide (#4730)


											
										
										
											2020-05-12 15:12:51 +03:00
+								We’re extremely grateful for security researchers and users who report vulnerabilities to the Hasura community. All reports are thoroughly investigated by the Hasura team.
-												docs: add security announce mailing list (#2923)


											
										
										
											2019-09-23 14:12:47 +03:00
-												docs: update security guide (#4730)


											
										
										
											2020-05-12 15:12:51 +03:00
+								To report a security issue, please email us at build@hasura.io with details, if possible attaching relevant information. The more details we have, the quicker will we be able to fix potential vulnerabilities.
-												docs: add security announce mailing list (#2923)


											
										
										
											2019-09-23 14:12:47 +03:00
 								When should I report a vulnerability?
 								^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 								- You think you have discovered a potential security vulnerability in the Hasura GraphQL engine or related components.
 								- You are unsure how a vulnerability affects the Hasura GraphQL engine.
 								- You think you discovered a vulnerability in another project that Hasura GraphQL engine depends on (e.g. Heroku, Docker, etc).
 								- You want to report any other security risk that could potentially harm Hasura GraphQL engine users.
 								When should I NOT report a vulnerability?
 								^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 								- You need help tuning Hasura GraphQL engine components for security.
 								- You need help applying security related updates.
 								- Your issue is not security related.
-												docs: update links in docs (#5331)


											
										
										
											2020-07-09 11:42:33 +03:00
+								In these cases you can join our `Discord server <https://hasura.io/discord>`__ where the community will be happy to help you out.
-												docs: update security guide (#4730)


											
										
										
											2020-05-12 15:12:51 +03:00
-												docs: add security announce mailing list (#2923)


											
										
										
											2019-09-23 14:12:47 +03:00
+								Vulnerability report response
 								-----------------------------
-												docs: update security guide (#4730)


											
										
										
											2020-05-12 15:12:51 +03:00
+								Each vulnerability report is acknowledged and analyzed by the Hasura team within 3 working days.
-												docs: add security announce mailing list (#2923)


											
										
										
											2019-09-23 14:12:47 +03:00
 								The reporter will be kept updated at every stage of the issue’s analysis and resolution (triage -> fix -> release).
 								Vulnerability public disclosure timing
 								--------------------------------------
 								A public disclosure date in case a vulnerability is discovered is negotiated by the Hasura team and the bug submitter.
-												docs: update security guide (#4730)


											
										
										
											2020-05-12 15:12:51 +03:00
+								We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available and enough of the affected instances have been upgraded.
-												docs: add security announce mailing list (#2923)


											
										
										
											2019-09-23 14:12:47 +03:00
+								It is reasonable to delay disclosure when the vulnerability or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination.
-												docs: update security guide (#4730)


											
										
										
											2020-05-12 15:12:51 +03:00
+								The time frame for disclosure is from immediate (especially if the vulnerability is already publicly known) to a few weeks.
-												docs: add security announce mailing list (#2923)


											
										
										
											2019-09-23 14:12:47 +03:00
+								Though, we expect the time frame between a report to a public disclosure to typically be in the order of 7 days.
-												docs: update security guide (#4730)


											
										
										
											2020-05-12 15:12:51 +03:00
+								In any case, the Hasura team will do their best to identify and fix any vulnerabilities as soon as possible, as well as communicate to the submitter about the progress and set a disclosure date.