From 5eaa444f2be4c05e4e0d28c25ec3e78c2c7f484c Mon Sep 17 00:00:00 2001 From: Stijn Peeters Date: Fri, 28 Jan 2022 11:30:36 +0100 Subject: [PATCH] SECURITY.md and bug report template --- .github/ISSUE_TEMPLATE/bug_report.md | 32 +++++++++++++++++++++ SECURITY.md | 43 ++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 SECURITY.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 000000000..5599cad43 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,32 @@ + --- +name: Bug report +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Environment:** + - OS (if bug relates server/backend/install): [e.g~~. ubuntu 16.04~~] + - Browser (if bug relates to frontend): [e.g. chrome, safari] + - Version [e.g. 1.22; check the VERSION file in your 4CAT installation] + +**Additional context** +Add any other context about the problem here. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..c22406f0b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,43 @@ +# Security Policy + +## Supported Versions + +We currently support 4CAT's master branch only. + +## Basic security + +4CAT relies on credentials stored in the config.py file. This includes access to your database where all information is +stored as well as API keys for third-party services. Therefore anyone with access to this file will be able to access +your database and use these keys. It is important to insure this file is protected. + +This is also true of a Docker installation. Whoever can access your Docker container, can also access the config.py +file. + +## Reporting a Vulnerability + +Please email reports about any security related issues you find to 4cat@oilab.eu. Your email will be acknowledged and +you'll receive a more detailed response to your email indicating the next steps in handling your report. + +Please use a descriptive subject line for your report email. After the initial reply to your report, the security team +will endeavor to keep you informed of the progress being made towards a fix and announcement. + +In addition, please include the following information along with your report: + +- Your name and affiliation (if any). +- A description of the technical details of the vulnerabilities. It is very important to let us know how we can + reproduce your findings. +- An explanation who can exploit this vulnerability, and what they gain when doing so -- write an attack scenario. +- This will help us evaluate your report quickly, especially if the issue is complex. +- Whether this vulnerability public or known to third parties. If it is, please provide details. + +If you believe that an existing (public) issue is security-related, please send an email to 4cat@oilab.eu. The email +should include the issue ID and a short description of why it should be handled according to this security policy. + +Once an issue is reported, we use the following disclosure process: + +- When a report is received, we confirm the issue and determine its severity. +- If we know of specific third-party services or software based on 4CAT that require mitigation before publication, + those projects will be notified. +- An advisory is prepared (but not published) which details the problem and steps for mitigation. +- The vulnerability is fixed and potential workarounds are identified. +- Patch releases are published for all fixed released versions and the advisory is published.