From 82f21ac60bf797db449a167f47bac255b110e3a5 Mon Sep 17 00:00:00 2001 From: DarkSky Date: Wed, 28 Feb 2024 08:07:49 +0000 Subject: [PATCH] feat: udpate security policy docs (#5927) --- SECURITY.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..21b10e12e4 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,29 @@ +# Security Policy + +## Supported Versions + +We recommend users to always use the latest major version. Security updates will be provided for the current major version until the next major version is released. + +| Version | Supported | +| --------------- | ------------------ | +| 0.12.x (stable) | :white_check_mark: | +| < 0.12.x | :x: | + +## Reporting a Vulnerability + +We welcome you to provide us with bug reports via and email at [security@toeverything.info](mailto:security@toeverything.info). We expect your report to contain at least the following for us to evaluate and reproduce: + +1. Using platform and version, for example: + + - macos arm64 0.12.0-canary-202402220729-0868ac6 + - app.affine.pro 0.12.0-canary-202402220729-0868ac6 + +2. A sets of video or screenshot containing the reproduce steps that proves you successfully exploited the vulnerability, preferably including the time and software version of the successful exploit. + +3. Your classification or analysis of the vulnerability (optional) + +Since we are an open source project, we also welcome you to provide corresponding fix PRs. + +We will provide bounties for vulnerabilities involving user information leakage, permission leakage, and unauthorized code execution. For other types of vulnerabilities, we will determine specific rewards based on the evaluation results. + +If the vulnerability is caused by a library we depend on, we encourage you to submit a security report to the corresponding dependent library at the same time to benefit more users.