|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +| Version | Supported | |
| 6 | +| ------- | ------------------ | |
| 7 | +| 2.2.0.0 | :white_check_mark: | |
| 8 | +| 2.1.0.1 | :x:, upgrade to 2.2.0.0| |
| 9 | +| <= 1.4.x | :x:, no longer supported AT ALL | |
| 10 | + |
| 11 | +## Reporting a Vulnerability |
| 12 | + |
| 13 | +If you believe that you have found a vulnerability in ESAPI, first please search the |
| 14 | +GitHut issues list (for both open and closed issues) to see if it has already been reported. |
| 15 | + |
| 16 | +If it has not, then please contact **both** of the project leaders, Kevin W. Wall |
| 17 | +(kevin.w.wall at gmail.com) and Matt Seil (matt.seil at owasp.org) _directly_. |
| 18 | +Please do **not** report any suspected vulnerabilities via GitHub issues |
| 19 | +or via the ESAPI mailing lists as we wish to keep our users secure while a patch |
| 20 | +is implemented and deployed. This is because if this is reported as a GitHub |
| 21 | +issue or posted to either ESAPI mailing list, it more or less is equivalent to |
| 22 | +dropping a 0-day on all applications using ESAPI. Instead, we encourage |
| 23 | +responsible disclosure. |
| 24 | + |
| 25 | +If you wish to be acknowledged for finding the vulnerability, then please follow |
| 26 | +this process. One of the 2 ESAPI project leaders will try to contact you within |
| 27 | +at least 5 business days, so when you post the email describing the |
| 28 | +vulnerability, please do so from an email address that you usually monitor. |
| 29 | +If you eventually wish to have it published as a CVE, we will also work with you |
| 30 | +to ensure that you are given proper credit with MITRE and NIST. Even if you do |
| 31 | +not wish to report the vulnerability as a CVE, we will acknowledge you when we |
| 32 | +create a GitHub issue (once the issue is patched) as well as acknowledging you |
| 33 | +in any security bulletin that we may write up and use to notify our users. (If you wish |
| 34 | +to have your identity remain unknown, or perhaps you email address, we can work |
| 35 | +with you on that as well.) |
| 36 | + |
| 37 | +If possible, provide a working proof-of-concept or at least minimally describe |
| 38 | +how it can be exploited in sufficient details that the ESAPI development team |
| 39 | +can understand what needs to be done to fix it. Unfortunately at this time, we |
| 40 | +are not in a position to pay out bug bounties for vulnerabilities. |
| 41 | + |
| 42 | +Eventually, we would like to have BugCrowd handle this, but that's still a ways off. |
0 commit comments