Skip to content
This repository was archived by the owner on May 14, 2020. It is now read-only.

Commit 8047a03

Browse files
csanders-gitcsanders-git
authored
Create SECURITY.md (#1590)
* Create SECURITY.md
1 parent e761ae6 commit 8047a03

File tree

1 file changed

+35
-0
lines changed

1 file changed

+35
-0
lines changed

SECURITY.md

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
OWASP CRS has two types of releases, Major releases (3.0.0, 3.1.0, 3.2.0 etc.) and point releases (3.0.1, 3.0.2 etc.).
6+
For more information see our [wiki](https://github.com/SpiderLabs/owasp-modsecurity-crs/wiki/Release-Policy).
7+
The OWASP CRS officially supports the two point releases with security patching preceding the current major release .
8+
We are happy to receive and merge PR's that address security issues in older versions of the project, but the team itself may choose not to fix these.
9+
Along those lines, OWASP CRS team may not issue security notifications for unsupported software.
10+
11+
| Version | Supported |
12+
| --------- | ------------------ |
13+
| 3.3.x-dev | :white_check_mark: |
14+
| 3.2.x | :white_check_mark: |
15+
| 3.1.x | :white_check_mark: |
16+
| 3.0.x | :x: |
17+
18+
## Reporting a Vulnerability
19+
20+
We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users.
21+
We welcome bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.
22+
Submit these types of non-vulnerability related issues via Github.
23+
Please include your installed version and the relevant portions of your audit log.
24+
False negative or common bypasses should [create an issue](https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/new) so they can be addressed.
25+
26+
Do this before submitting a vulnerability using our email:
27+
1) Verify that you have the latest version of OWASP CRS.
28+
2) Validate which Paranoia Level this bypass applies to. If it works in PL4, please send us an email.
29+
3) If you detected anything that causes unexpected behavior of the engine via manipulation of existing CRS provided rules, please send it by email.
30+
31+
Our email is [[email protected]](mailto:[email protected]). You can send us encrypted email using [this key](https://coreruleset.org/security.asc), (fingerprint: `3600 6F0E 0BA1 6783 2158 8211 38EE ACA1 AB8A 6E72`).
32+
33+
We are happy to work with the community to provide CVE identifiers for any discovered security issues if requested.
34+
35+
If in doubt, feel free to reach out to us!

0 commit comments

Comments
 (0)