diff --git a/docs/docs/policies/security-disclosure.mdx b/docs/docs/policies/security-disclosure.mdx index 03677128be4..8878092b36f 100644 --- a/docs/docs/policies/security-disclosure.mdx +++ b/docs/docs/policies/security-disclosure.mdx @@ -6,7 +6,7 @@ keywords: - security - security disclosure - vulnerability -sidebar_position: 1 +sidebar_position: 3 sidebar_label: Security vulnerability protocol --- @@ -31,7 +31,11 @@ reports are thoroughly investigated by the Hasura team. To report a security issue, please email us at with details, if possible attaching relevant information. The more details we have, the quicker will we be able to fix potential vulnerabilities. -We do not currently have a bug bounty program, however, for valid high and critical severity issues we may, at our discretion, choose to award a bounty. Please see our guidance at the bottom of the page for types of vulnerabilities which are in and out of scope. Do not use social engineering and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. If you should accidentally do any of these things, stop immediately and report the issue. +We do not currently have a bug bounty program, however, for valid high and critical severity issues we may, at our +discretion, choose to award a bounty. Please see our guidance at the bottom of the page for types of vulnerabilities +which are in and out of scope. Do not use social engineering and make a good faith effort to avoid privacy violations, +destruction of data, and interruption or degradation of our service. If you should accidentally do any of these things, +stop immediately and report the issue. ### When should I report a vulnerability? @@ -87,7 +91,8 @@ We are keen on hearing about the vulnerabilities encompassing the following cate ## Out of scope vulnerabilities -When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope: +When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the +bug. The following issues are considered out of scope: - Clickjacking on pages with no sensitive actions. - Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions. @@ -101,13 +106,19 @@ When reporting vulnerabilities, please consider (1) attack scenario / exploitabi - Missing best practices in Content Security Policy. - Missing HttpOnly or Secure flags on cookies. - Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.). -- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]. -- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors). -- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis. +- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest + released stable version]. +- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, + application or server errors). +- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a + case-by-case basis. - Tabnabbing. - Open redirect - unless an additional security impact can be demonstrated. - Issues that require unlikely user interaction. - Missing best practices in Content Security Policy (CSP) or lack of other security-related headers. - Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS). -- Bugs in third-party components which the Hasura uses only qualify if you can prove that they can be used to successfully attack Hasura's in scope applications. -- SSRF issues - To be eligible for a bounty on HTTP/WS based SSRF submissions, please provide a proof of concept demonstrating access to sensitive resources such as leaking sensitive API keys or the ability to trigger state changing actions. Exploits just demonstrating a service header being responded would not meet the threshold. +- Bugs in third-party components which the Hasura uses only qualify if you can prove that they can be used to + successfully attack Hasura's in scope applications. +- SSRF issues - To be eligible for a bounty on HTTP/WS based SSRF submissions, please provide a proof of concept + demonstrating access to sensitive resources such as leaking sensitive API keys or the ability to trigger state + changing actions. Exploits just demonstrating a service header being responded would not meet the threshold. diff --git a/docs/docs/policies/sla.mdx b/docs/docs/policies/sla.mdx index 986ec685df9..dff5d4360b8 100644 --- a/docs/docs/policies/sla.mdx +++ b/docs/docs/policies/sla.mdx @@ -2,7 +2,7 @@ title: 'Cloud Standard, Professional, & EE: Hasura Service Level Agreement' description: Hasura Service Level Agreement for Hasura Cloud sidebar_label: Hasura SLA ☁️🏢 -sidebar_position: 0 +sidebar_position: 2 keywords: - hasura - service level agreement diff --git a/docs/docs/policies/support.mdx b/docs/docs/policies/support.mdx new file mode 100644 index 00000000000..ee5efc7aeba --- /dev/null +++ b/docs/docs/policies/support.mdx @@ -0,0 +1,58 @@ +--- +title: Hasura GraphQL Engine Support Policy +description: The support policy for Hasura GraphQL Engine +sidebar_label: Support +sidebar_position: 1 +keywords: + - hasura + - support + - LTS + - long term support +--- + +# Hasura Support Policy + +## Releases and support + +Hasura releases its software via: + +- **Major versions** that may have incompatible or breaking changes from the previous version. +- **Minor versions** that provide new functionality and bug fixes in a backwards-compatible manner. +- **Patch versions** that have backwards-compatible bug fixes. + +Hasura provides support for a given major or minor version of our software to eligible customers. Support includes: + +1. **Bug fixes**: Critical issues or bugs identified in the software are either provided a workaround or addressed + through minor or patch versions. +1. **Security updates**: Updates are provided via patches to address known security vulnerabilities in the software. +1. **Technical support**: Assistance is provided to users who encounter issues or have questions about the software. + +Hasura will support the latest minor version of the previous major version of the GraphQL Engine, including critical +security updates, for up to one year after the release of the current major version. + +## Long-term support (LTS) releases + +Hasura also provides long term support (LTS) releases of the Hasura GraphQL Engine (HGE) for Hasura Enterprise Edition +customers. An LTS version is a combination of a major and minor version. _For example: Hasura `v2.11`_. + +While we recommend our users to be on the latest release, we recognize the need for a long-term support release where +upgrading to a new feature release requires significant effort and planning, and there is a need to be up-to-date on +critical security fixes and critical bug fixes. + +- Hasura will support GraphQL Engine LTS releases for versions that are part of the Enterprise Edition packages. +- LTS releases will include critical security fixes, determined by Hasura with input from the customer's IT security + department, that leave the environment vulnerable to external threats. +- LTS releases will include bug fixes that are determined by Hasura to be critical or high priority and are causing the + Hasura GraphQL Engine to be inoperable in production. +- Security and critical bug fixes will be patched to a designated LTS version release. _E.g., `v2.x.1` will have the + first set of patches to the LTS version `v2.x.0.`_ +- An LTS release will be supported for two years from the initial release date. +- A new LTS version will be announced annually (at a minimum). + +LTS releases will not include new (or extended) features that are released in future major or minor versions. + +## Support and EOL for current LTS versions + +| LTS version | EOL Date | +| ----------- | ----------- | +| `v2.11` | Sep-01-2024 | diff --git a/docs/docs/policies/telemetry.mdx b/docs/docs/policies/telemetry.mdx index b77d46ee30f..fd6e6f7cc5d 100644 --- a/docs/docs/policies/telemetry.mdx +++ b/docs/docs/policies/telemetry.mdx @@ -5,7 +5,7 @@ keywords: - docs - guide - telemetry -sidebar_position: 2 +sidebar_position: 4 sidebar_label: Telemetry ---