docs: add support policy page

[DOCS-796]: https://hasurahq.atlassian.net/browse/DOCS-796?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8390
GitOrigin-RevId: a4ef56f470be1b06a4f9287fe372dcee6fcb0611
This commit is contained in:
Rob Dominguez 2023-03-23 08:10:16 -05:00 committed by hasura-bot
parent 48a8144ca1
commit 5549c4aa1b
4 changed files with 79 additions and 10 deletions

View File

@ -6,7 +6,7 @@ keywords:
- security - security
- security disclosure - security disclosure
- vulnerability - vulnerability
sidebar_position: 1 sidebar_position: 3
sidebar_label: Security vulnerability protocol sidebar_label: Security vulnerability protocol
--- ---
@ -31,7 +31,11 @@ reports are thoroughly investigated by the Hasura team.
To report a security issue, please email us at <security@hasura.io> with details, if possible attaching relevant To report a security issue, please email us at <security@hasura.io> with details, if possible attaching relevant
information. The more details we have, the quicker will we be able to fix potential vulnerabilities. information. The more details we have, the quicker will we be able to fix potential vulnerabilities.
We do not currently have a bug bounty program, however, for valid high and critical severity issues we may, at our discretion, choose to award a bounty. Please see our guidance at the bottom of the page for types of vulnerabilities which are in and out of scope. Do not use social engineering and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. If you should accidentally do any of these things, stop immediately and report the issue. We do not currently have a bug bounty program, however, for valid high and critical severity issues we may, at our
discretion, choose to award a bounty. Please see our guidance at the bottom of the page for types of vulnerabilities
which are in and out of scope. Do not use social engineering and make a good faith effort to avoid privacy violations,
destruction of data, and interruption or degradation of our service. If you should accidentally do any of these things,
stop immediately and report the issue.
### When should I report a vulnerability? ### When should I report a vulnerability?
@ -87,7 +91,8 @@ We are keen on hearing about the vulnerabilities encompassing the following cate
## Out of scope vulnerabilities ## Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope: When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the
bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions. - Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions. - Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
@ -101,13 +106,19 @@ When reporting vulnerabilities, please consider (1) attack scenario / exploitabi
- Missing best practices in Content Security Policy. - Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies. - Missing HttpOnly or Secure flags on cookies.
- Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.). - Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]. - Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors). released stable version].
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis. - Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces,
application or server errors).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a
case-by-case basis.
- Tabnabbing. - Tabnabbing.
- Open redirect - unless an additional security impact can be demonstrated. - Open redirect - unless an additional security impact can be demonstrated.
- Issues that require unlikely user interaction. - Issues that require unlikely user interaction.
- Missing best practices in Content Security Policy (CSP) or lack of other security-related headers. - Missing best practices in Content Security Policy (CSP) or lack of other security-related headers.
- Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS). - Leakage of sensitive tokens (e.g., reset password token) to trusted third parties on secure connection (HTTPS).
- Bugs in third-party components which the Hasura uses only qualify if you can prove that they can be used to successfully attack Hasura's in scope applications. - Bugs in third-party components which the Hasura uses only qualify if you can prove that they can be used to
- SSRF issues - To be eligible for a bounty on HTTP/WS based SSRF submissions, please provide a proof of concept demonstrating access to sensitive resources such as leaking sensitive API keys or the ability to trigger state changing actions. Exploits just demonstrating a service header being responded would not meet the threshold. successfully attack Hasura's in scope applications.
- SSRF issues - To be eligible for a bounty on HTTP/WS based SSRF submissions, please provide a proof of concept
demonstrating access to sensitive resources such as leaking sensitive API keys or the ability to trigger state
changing actions. Exploits just demonstrating a service header being responded would not meet the threshold.

View File

@ -2,7 +2,7 @@
title: 'Cloud Standard, Professional, & EE: Hasura Service Level Agreement' title: 'Cloud Standard, Professional, & EE: Hasura Service Level Agreement'
description: Hasura Service Level Agreement for Hasura Cloud description: Hasura Service Level Agreement for Hasura Cloud
sidebar_label: Hasura SLA ☁️🏢 sidebar_label: Hasura SLA ☁️🏢
sidebar_position: 0 sidebar_position: 2
keywords: keywords:
- hasura - hasura
- service level agreement - service level agreement

View File

@ -0,0 +1,58 @@
---
title: Hasura GraphQL Engine Support Policy
description: The support policy for Hasura GraphQL Engine
sidebar_label: Support
sidebar_position: 1
keywords:
- hasura
- support
- LTS
- long term support
---
# Hasura Support Policy
## Releases and support
Hasura releases its software via:
- **Major versions** that may have incompatible or breaking changes from the previous version.
- **Minor versions** that provide new functionality and bug fixes in a backwards-compatible manner.
- **Patch versions** that have backwards-compatible bug fixes.
Hasura provides support for a given major or minor version of our software to eligible customers. Support includes:
1. **Bug fixes**: Critical issues or bugs identified in the software are either provided a workaround or addressed
through minor or patch versions.
1. **Security updates**: Updates are provided via patches to address known security vulnerabilities in the software.
1. **Technical support**: Assistance is provided to users who encounter issues or have questions about the software.
Hasura will support the latest minor version of the previous major version of the GraphQL Engine, including critical
security updates, for up to one year after the release of the current major version.
## Long-term support (LTS) releases
Hasura also provides long term support (LTS) releases of the Hasura GraphQL Engine (HGE) for Hasura Enterprise Edition
customers. An LTS version is a combination of a major and minor version. _For example: Hasura `v2.11`_.
While we recommend our users to be on the latest release, we recognize the need for a long-term support release where
upgrading to a new feature release requires significant effort and planning, and there is a need to be up-to-date on
critical security fixes and critical bug fixes.
- Hasura will support GraphQL Engine LTS releases for versions that are part of the Enterprise Edition packages.
- LTS releases will include critical security fixes, determined by Hasura with input from the customer's IT security
department, that leave the environment vulnerable to external threats.
- LTS releases will include bug fixes that are determined by Hasura to be critical or high priority and are causing the
Hasura GraphQL Engine to be inoperable in production.
- Security and critical bug fixes will be patched to a designated LTS version release. _E.g., `v2.x.1` will have the
first set of patches to the LTS version `v2.x.0.`_
- An LTS release will be supported for two years from the initial release date.
- A new LTS version will be announced annually (at a minimum).
LTS releases will not include new (or extended) features that are released in future major or minor versions.
## Support and EOL for current LTS versions
| LTS version | EOL Date |
| ----------- | ----------- |
| `v2.11` | Sep-01-2024 |

View File

@ -5,7 +5,7 @@ keywords:
- docs - docs
- guide - guide
- telemetry - telemetry
sidebar_position: 2 sidebar_position: 4
sidebar_label: Telemetry sidebar_label: Telemetry
--- ---