Skip to content

Commit 9a23b01

Browse files
tomerdtomerd
authored
adopt SSWG security guidelines (#101)
* adopt SSWG security guidelines add SECURITY.md detailing the security process * Update README.md
1 parent 84d2bc3 commit 9a23b01

File tree

2 files changed

+47
-0
lines changed

2 files changed

+47
-0
lines changed

README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -306,3 +306,7 @@ lifecycle.registerShutdown(
306306
-------
307307

308308
Do not hesitate to get in touch as well, over on https://forums.swift.org/c/server.
309+
310+
## Security
311+
312+
Please see [SECURITY.md](SECURITY.md) for details on the security process.

SECURITY.md

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
# Security
2+
3+
This document specifies the security process for the Swift Service Lifecycle project.
4+
5+
## Disclosures
6+
7+
### Private Disclosure Process
8+
9+
The Swift Service Lifecycle maintainers ask that known and suspected vulnerabilities be
10+
privately and responsibly disclosed by emailing
11+
[[email protected]](mailto:[email protected])
12+
with the all the required detail.
13+
**Do not file a public issue.**
14+
15+
#### When to report a vulnerability
16+
17+
* You think you have discovered a potential security vulnerability in Swift Service Lifecycle.
18+
* You are unsure how a vulnerability affects Swift Service Lifecycle.
19+
20+
#### What happens next?
21+
22+
* A member of the team will acknowledge receipt of the report within 3
23+
working days (United States). This may include a request for additional
24+
information about reproducing the vulnerability.
25+
* We will privately inform the Swift Server Work Group ([SSWG][sswg]) of the
26+
vulnerability within 10 days of the report as per their [security
27+
guidelines][sswg-security].
28+
* Once we have identified a fix we may ask you to validate it. We aim to do this
29+
within 30 days. In some cases this may not be possible, for example when the
30+
vulnerability exists at the protocol level and the industry must coordinate on
31+
the disclosure process.
32+
* If a CVE number is required, one will be requested from [MITRE][mitre]
33+
providing you with full credit for the discovery.
34+
* We will decide on a planned release date and let you know when it is.
35+
* Prior to release, we will inform major dependents that a security-related
36+
patch is impending.
37+
* Once the fix has been released we will publish a security advisory on GitHub
38+
and in the Server → Security Updates category on the [Swift forums][swift-forums-sec].
39+
40+
[sswg]: https://github.com/swift-server/sswg
41+
[sswg-security]: https://github.com/swift-server/sswg/blob/main/security/README.md
42+
[swift-forums-sec]: https://forums.swift.org/c/server/security-updates/
43+
[mitre]: https://cveform.mitre.org/

0 commit comments

Comments
 (0)