graphql-engine/SECURITY.md

## Reporting Vulnerabilities

We’re extremely grateful for security researchers and users that report vulnerabilities to the Hasura Community. All reports are thoroughly investigated by a set of community volunteers and the Hasura team.

To report a security issue, please email us at [security@hasura.io](mailto:security@hasura.io) with all the details, attaching all necessary information.

### When Should I Report a Vulnerability?

- You think you have discovered a potential security vulnerability in the Hasura GraphQL Engine or related components.
- You are unsure how a vulnerability affects the Hasura GraphQL Engine.
- You think you discovered a vulnerability in another project that Hasura GraphQL Engine depends on (e.g. Heroku, Docker, etc).
- You want to report any other security risk that could potentially harm Hasura GraphQL Engine users.

### When Should I NOT Report a Vulnerability?

- You need help tuning Hasura GraphQL Engine components for security.
- You need help applying security related updates.
- Your issue is not security related.

## Security Vulnerability Response

Each report is acknowledged and analyzed by the project's maintainers and the security team within 3 working days. 

The reporter will be kept updated at every stage of the issue's analysis and resolution (triage -> fix -> release).

## Public Disclosure Timing

A public disclosure date is negotiated by the Hasura product security team and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. We expect the time-frame between a report to a public disclosure to typically be in the order of 7 days. The Hasura GraphQL Engine maintainers and the security team will take the final call on setting a disclosure date.


(Some sections have been inspired and adapted from [https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md](https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md)).

## Translations

This document is available in the following translations:

- [French :fr:](translations/SECURITY.french.md)
- [Hindi :india:](translations/SECURITY.hindi.md)
- [Malayalam :india:](translations/SECURITY.malayalam.md)
-												add guidelines for reporting security issues (close #322) (#687)


											
										
										
											2018-10-13 11:29:18 +03:00
+								## Reporting Vulnerabilities
 								We’re extremely grateful for security researchers and users that report vulnerabilities to the Hasura Community. All reports are thoroughly investigated by a set of community volunteers and the Hasura team.
-												github md pages: update email address for security team

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/7113
GitOrigin-RevId: f29224d486016ea8ef8bb6ff51d1059950509e02

											
										
										
											2022-12-01 20:18:28 +03:00
+								To report a security issue, please email us at [security@hasura.io](mailto:security@hasura.io) with all the details, attaching all necessary information.
-												add guidelines for reporting security issues (close #322) (#687)


											
										
										
											2018-10-13 11:29:18 +03:00
 								### When Should I Report a Vulnerability?
 								- You think you have discovered a potential security vulnerability in the Hasura GraphQL Engine or related components.
 								- You are unsure how a vulnerability affects the Hasura GraphQL Engine.
-												typo fix in readme (#3039)


											
										
										
											2019-10-26 07:06:35 +03:00
+								- You think you discovered a vulnerability in another project that Hasura GraphQL Engine depends on (e.g. Heroku, Docker, etc).
 								- You want to report any other security risk that could potentially harm Hasura GraphQL Engine users.
-												add guidelines for reporting security issues (close #322) (#687)


											
										
										
											2018-10-13 11:29:18 +03:00
 								### When Should I NOT Report a Vulnerability?
 								- You need help tuning Hasura GraphQL Engine components for security.
 								- You need help applying security related updates.
 								- Your issue is not security related.
 								## Security Vulnerability Response
-												typos in multiple files (#730)


											
										
										
											2018-10-15 10:25:35 +03:00
+								Each report is acknowledged and analyzed by the project's maintainers and the security team within 3 working days.
-												add guidelines for reporting security issues (close #322) (#687)


											
										
										
											2018-10-13 11:29:18 +03:00
 								The reporter will be kept updated at every stage of the issue's analysis and resolution (triage -> fix -> release).
 								## Public Disclosure Timing
 								A public disclosure date is negotiated by the Hasura product security team and the bug submitter. We prefer to fully disclose the bug as soon as possible once a user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. We expect the time-frame between a report to a public disclosure to typically be in the order of 7 days. The Hasura GraphQL Engine maintainers and the security team will take the final call on setting a disclosure date.
-												typo fix in readme (#3039)


											
										
										
											2019-10-26 07:06:35 +03:00
+								(Some sections have been inspired and adapted from [https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md](https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md)).
-												add guidelines for reporting security issues (close #322) (#687)


											
										
										
											2018-10-13 11:29:18 +03:00
-												re-organise translations, add french (#1922)


											
										
										
											2019-04-15 11:16:32 +03:00
+								## Translations
 								This document is available in the following translations:
 								- [French :fr:](translations/SECURITY.french.md)
-												translation(hindi): add security.md (#3162)


											
										
										
											2020-01-05 09:02:23 +03:00
+								- [Hindi :india:](translations/SECURITY.hindi.md)
-												Malayalam(ml_IN) translation for SECURITY.md

GITHUB_PR_NUMBER: 9100
GITHUB_PR_URL: https://github.com/hasura/graphql-engine/pull/9100

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6454
Co-authored-by: Sarang S <85063520+eigengravy@users.noreply.github.com>
GitOrigin-RevId: 5385659d32327e0324a81283a6c2179151ecd7f8

											
										
										
											2022-10-20 11:51:39 +03:00
+								- [Malayalam :india:](translations/SECURITY.malayalam.md)