docs: update security guide (#4730)

This commit is contained in:
Marion Schleifer 2020-05-12 14:12:51 +02:00 committed by GitHub
parent 201dcca59a
commit d17b2232d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -14,6 +14,9 @@ Security vulnerability reporting and disclosure
.. inspired and adapted from https://kubernetes.io/docs/reference/issues-security/security/ (https://github.com/kubernetes/website/blob/master/content/en/docs/reference/issues-security/security.md)
Introduction
------------
This page describes the Hasura security vulnerability reporting and disclosure process.
Security announcements
@ -24,9 +27,9 @@ Join the `Hasura Security Announcements <https://groups.google.com/forum/#!forum
Reporting vulnerabilities
-------------------------
Were extremely grateful for security researchers and users that report vulnerabilities to the Hasura community. All reports are thoroughly investigated by the project's maintainers.
Were extremely grateful for security researchers and users who report vulnerabilities to the Hasura community. All reports are thoroughly investigated by the Hasura team.
To report a security issue, please email us at build@hasura.io with all the details, attaching all necessary information.
To report a security issue, please email us at build@hasura.io with details, if possible attaching relevant information. The more details we have, the quicker will we be able to fix potential vulnerabilities.
When should I report a vulnerability?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -43,10 +46,12 @@ When should I NOT report a vulnerability?
- You need help applying security related updates.
- Your issue is not security related.
In these cases you can join our `Discord server <http://hasura.io/discord>`_ where the community will be happy to help you out.
Vulnerability report response
-----------------------------
Each vulnerability report is acknowledged and analyzed by the projects maintainers within 3 working days.
Each vulnerability report is acknowledged and analyzed by the Hasura team within 3 working days.
The reporter will be kept updated at every stage of the issues analysis and resolution (triage -> fix -> release).
@ -55,9 +60,10 @@ Vulnerability public disclosure timing
A public disclosure date in case a vulnerability is discovered is negotiated by the Hasura team and the bug submitter.
We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available.
We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available and enough of the affected instances have been upgraded.
It is reasonable to delay disclosure when the vulnerability or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination.
The time frame for disclosure is from immediate (especially if its already publicly known) to a few weeks.
The time frame for disclosure is from immediate (especially if the vulnerability is already publicly known) to a few weeks.
Though, we expect the time frame between a report to a public disclosure to typically be in the order of 7 days.
The Hasura GraphQL engine maintainers will take the final call on setting a disclosure date.
In any case, the Hasura team will do their best to identify and fix any vulnerabilities as soon as possible, as well as communicate to the submitter about the progress and set a disclosure date.