From 17346b657e871ec804768eed63195b92b5dd64a0 Mon Sep 17 00:00:00 2001 From: Gary Allan <github@gallan.co.uk> Date: Fri, 1 Oct 2021 21:11:22 +0100 Subject: [PATCH] Feature: Add SECURITY.md and update README.md Closes #3405 --- README.md | 10 +++++++--- SECURITY.md | 20 ++++++++++++++++++++ 2 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index 76fe7f6d..485ad41d 100755 --- a/README.md +++ b/README.md @@ -32,10 +32,14 @@ the demo page: `Admin / ipamadmin` Community maintained docker images are available at https://hub.docker.com/u/phpipam ## Changelog -See misc/CHANGELOG +See [misc/CHANGELOG](misc/CHANGELOG) ## Roadmap -See misc/Roadmap +See [misc/Roadmap](misc/Roadmap) + +## Security + +See [SECURITY.md](SECURITY.md) ## Contact miha.petkovsek@gmail.com @@ -46,4 +50,4 @@ that is used for development of phpIPAM and for demo site. And also to all users that filed a bug report / feature report and helped with feature testing! ## License -phpIPAM is released under the GPL v3 license, see misc/gpl-3.0.txt. +phpIPAM is released under the GPL v3 license, see [misc/gpl-3.0.txt](misc/gpl-3.0.txt). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..430594b3 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,20 @@ +# Security Policy + +## Supported Versions + +The development branch and non-obsolete production branches listed in [README.md](README.md) are supported with security updates. + +Issues only in feature testing (non-production) branches should be reported via the GitHub issue tracker. + +## Reporting a Vulnerability + +Please report suspected security vulnerabilities to the contacts below. We will aim to acknowledge your email within 48 hours but could be longer (holidays etc...) + +- Gary Allan (maintainer) github@gallan.co.uk +- Miha Petkovsek (owner) miha.petkovsek@gmail.com + +## Guidelines + +CVE numbers will not be provided by the phpIPAM project due to lack of resources to manage their lifecycle. If you require a CVE number please obtain prior to reporting a vulnerability and include with your submission. + +Issues that are the responsibility of end-users such as use of weak passwords or choice to deploy with HTTP vs HTTPS will be rejected. \ No newline at end of file -- GitLab