From a2093e5c4db99bfafc05a33573818e80d5c9730e Mon Sep 17 00:00:00 2001 From: Mo Bitar Date: Fri, 22 Nov 2019 10:00:16 -0600 Subject: [PATCH] Create SECURITY.md --- SECURITY.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..6561eba2f --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,37 @@ +Thank you for your work in helping keep Standard Notes safe and secure. If you believe you've found a security issue in our product, we encourage you to notify us. We welcome working with you to resolve the issue promptly. + +# Disclosure Policy + +- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every + effort to quickly resolve the issue. Please email [security@standardnotes.org](mailto:security@standardnotes.org) for a direct response. +- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a + third-party. We may publicly disclose the issue before resolving it, if appropriate. +- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or + degradation of our service. Only interact with accounts you own or with explicit permission of the + account holder. + +# In-scope + +- Security issues in any current release of Standard Notes. Our product downloads are available on our homepage at https://standardnotes.org, and our source code is available at https://github.com/standardnotes. + +# Exclusions + +The following bug classes are out-of scope: + +- Bugs that are already reported on any of Standard Notes' issue trackers (https://github.com/standardnotes), or that we already know of. +- Issues in an upstream software dependency (ex: Electron, React Native) which are already reported to the upstream maintainer. +- Attacks requiring physical access to a user's device. +- Self-XSS +- Issues related to software or protocols not under SN's control +- Vulnerabilities in outdated versions of Standard Notes +- Missing security best practices that do not directly lead to a vulnerability +- Issues that do not have any impact on the general public + +While researching, we'd like to ask you to refrain from: + +- Denial of service +- Spamming +- Social engineering (including phishing) of Standard Notes' staff or contractors +- Any physical attempts against Standard Notes' property or data centers + +Thank you for helping keep Standard Notes secure!