-
Notifications
You must be signed in to change notification settings - Fork 0
docs: S19.03 add SECURITY.md vulnerability disclosure policy #585
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
DavidCozens
wants to merge
2
commits into
main
Choose a base branch
from
docs/s19-03-security-policy
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| # Security Policy | ||
|
|
||
| Cozens Software Solutions Limited (COSOSO) takes the security of SolidSyslog | ||
| seriously. This policy explains how to report a vulnerability and what to | ||
| expect in return. | ||
|
|
||
| ## Reporting a vulnerability | ||
|
|
||
| **Please do not report security issues in public GitHub issues, pull | ||
| requests, or discussions.** Use one of the private channels below: | ||
|
|
||
| 1. **GitHub private vulnerability reporting (preferred).** On this | ||
| repository, go to the **Security** tab → **Report a vulnerability**. | ||
| This opens a private advisory visible only to you and the maintainer. | ||
| 2. **Web form.** If you cannot use GitHub, submit the form at | ||
| **https://cososo.co.uk/security/report**. It routes to a private inbox. | ||
|
|
||
| We do not publish a security email address. Both channels above reach the | ||
| maintainer privately. | ||
|
|
||
| ### What to include | ||
|
|
||
| The more of this you can provide, the faster we can triage: | ||
|
|
||
| - Affected component — **Core**, **Platform**, or **Bdd** (see *Scope* below) | ||
| - Affected version, tag, or commit SHA | ||
| - A description of the issue and its impact | ||
| - Reproduction steps or a proof of concept | ||
| - Your assessment of severity, and whether it is being actively exploited | ||
| - Whether you wish to be credited, and how | ||
|
|
||
| ## Our commitments | ||
|
|
||
| For the free (noncommercial) tier: | ||
|
|
||
| - **Acknowledgement** within **72 hours** of receipt. | ||
| - **Initial triage** and a **CVSS v3.1** assessment within **7 days**. | ||
| - **Fixes** are best-effort and severity-driven. The free tier carries no | ||
| fixed fix-time SLA. Extended support and guaranteed timelines are | ||
| available under a commercial agreement. | ||
|
|
||
| These timelines are best-effort commitments from a solo maintainer. They may | ||
| be exceeded during periods of illness, bereavement, or other circumstances | ||
| beyond the maintainer's control. In such cases the report will be | ||
| acknowledged and acted on as soon as is practicable. | ||
|
|
||
| ## Coordinated disclosure | ||
|
|
||
| We follow coordinated disclosure with a **90-day** window from the date of | ||
| report, plus a **14-day grace period** if a fix is imminent at day 90. We | ||
| will credit reporters who wish to be named, by consent captured at intake. | ||
|
|
||
| Advisories are published as **GitHub Security Advisories**. For | ||
| vulnerabilities in **Core** (see *Scope*), a **CVE** is requested via | ||
| GitHub's CNA. | ||
|
|
||
| ## Scope | ||
|
|
||
| SolidSyslog is a source-available component assembled into a product by the | ||
| integrator. Security treatment follows the repository's support tiers: | ||
|
|
||
| | Tier | Path | Treatment | | ||
| |---|---|---| | ||
| | 1 | `Core/` | Full treatment: CVE, advisory, fix, signed release, SBOM entry. | | ||
| | 2 | `Platform/` | Advisory treatment: public notice and an updated adapter. No CVE unless the root cause is in `Core/`. | | ||
| | 3 | `Bdd/Targets/` | Advisory treatment. Illustrative targets, not a supported product. | | ||
|
|
||
| Test code, build infrastructure, CI configuration, and documentation are not | ||
| in scope for this policy. Vulnerabilities in third-party libraries you choose | ||
| to link (OpenSSL, Mbed TLS, an RTOS TCP stack, …) are the responsibility of | ||
| those projects and your own supply-chain process; SolidSyslog bundles none of | ||
| them. | ||
|
|
||
| See the [threat model](docs/security/threat-model.md) for trust boundaries, | ||
| caller obligations, and what the library does and does not defend against. | ||
|
|
||
| ## Supported versions | ||
|
|
||
| SolidSyslog is maintained as a **single mainline**. Security fixes land on the | ||
| **latest published release** only. There is no back-port commitment on the | ||
| free tier; back-ports are available under a commercial agreement. | ||
|
|
||
| ## Continuity | ||
|
|
||
| If COSOSO ceases to maintain SolidSyslog without transferring it to a | ||
| successor maintainer, the then-current release will be relicensed under a | ||
| permissive open-source licence (for example Apache-2.0) so that existing | ||
| users are not stranded. | ||
|
|
||
| ## Commercial support | ||
|
|
||
| For commercial licensing, guaranteed response times, or back-port support, | ||
| contact us via the form at | ||
| [cososo.co.uk](https://www.cososo.co.uk/#contact). | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win
Remove the owner-specific contact link.
This section should stay on the durable disclosure endpoint only. The homepage contact link is owner-specific, so it weakens the migration-safe contract this policy is meant to provide. Prefer the
/security/reportform here too, or drop the link entirely.♻️ Proposed fix
📝 Committable suggestion
🤖 Prompt for AI Agents