Update the security policy (#8408)

Update the security with more details on the procedure and also add GitHub's security advisory page as possibility to report a vulnerability.
This commit is contained in:
Bernhard Miklautz 2022-11-16 18:06:37 +01:00 committed by GitHub
parent f42f8c32fd
commit 3ae79bd72e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1,20 +1,61 @@
# Security Policy # FreeRDP Security Policies and Procedures
## Supported Versions This document describes the security policy and procedures for the [FreeRDP Project](https://github.com/FreeRDP/FreeRDP).
The following topics are covered:
We support only the latest stable branch and development/master. * [Supported Versions](#supported-versions)
Since the protocol is a moving target we do not strictly distinguish between feature and security updates, but keep the API forward compatible within the stable branch. * [Reporting a Vulnerability](#reporting-a-vulnerability)
* [Disclosure Procedure](#disclosure-procedure)
| Version | Supported |
| ------- | ------------------ |
| master | :white_check_mark: |
| 2.x.x | :white_check_mark: |
| < 2.0.0 | :x: |
## Reporting a Vulnerability ## Supported versions
Security is very important for us therefore we try to provide security updates and support for
the latest stable version as well as for the development branch.
Since our development branch is, like the protocol itself, a moving target we won't request CVEs for issues that are *only* found on the development branch.
The following table shows the currently supported versions:
| Version | Branch | Supported |
| ------- |--------------| ------------------ |
| < 2.0.0 | stable-1.x | :x: |
| 2.x.x | stable-2.0 | :heavy_check_mark: |
| - | master | :white_check_mark: |
## Reporting a vulnerability
**IMPORTANT**: Please, do not file security vulnerabilities as public issues on GitHub
In advance: **Thank you** for reporting a security vulnerability and making FreeRDP more stable! We really appreciate your effort.
Please let us know who we should give the credit or attributions to.
If you have found a security vulnerability in FreeRDP you can either directly open an [Advisory on GitHub](https://github.com/FreeRDP/FreeRDP/security/advisories/new)[^1] or send us an email to mailto:security@freerdp.com
In case of an email you can use the [FreeRDP security team GPG key](#reporting-gpg-key) for encrypted communication.
Once we receive a report we will review it and respond as soon as possible.
###
## Disclosure procedure
When the FreeRDP team receives a report one of the team members will be assigned as primary contact.
The primary contact will do all further communications and coordinate the fix and release process.
How your report will be handled:
* When a report is received we will acknowledge the reception and review the reported issue(s) as soon as possible.
* Once confirmed we will determine the affected versions. If not reported via GitHub a [security advisory draft on GitHub](https://github.com/FreeRDP/FreeRDP/security/advisories) will be created for any issue. If it applies we will request a CVE.
* On a private branch we will fix the issue and check the code for any potential similar problem.
* After the fix is validated we will create and publish a new release for all supported versions and publish the advisories.
## Reporting GPG key
FreeRDP's security reporting public gpg key https://pub.freerdp.com/FreeRDP-security-team.pub.asc
Please report a vulnerability to security@freerdp.com
For encrypted communication you can use the following GPG key:
``` ```
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
@ -69,3 +110,4 @@ Vw2F8gu/fHiadawxWIhUH+plFVQZc1KwgPcIMW3S
=O0kP =O0kP
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----
``` ```
[^1]: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability