Merge pull request #1984 from thelounge/astorije/vulnerability-disclosure

Add SECURITY guidelines about security vulnerability disclosures, and link them from the CONTRIBUTING guidelines
2018-01-16 10:35:12 +02:00 · 2018-01-16 10:35:12 +02:00 · 33de4840c6
commit 33de4840c6
parent 7a691b8e6c fda03b8362
2 changed files with 11 additions and 0 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -9,6 +9,8 @@ your contributions.
  issues](https://github.com/thelounge/lounge/issues?q=is%3Aissue) to see if
  this was not already discussed before. If you can't see any, feel free to
  [open a new issue](https://github.com/thelounge/lounge/issues/new).
+- If you think you discovered a security vulnerability, **do not open a public
+  issue on GitHub.** Refer to our [security guidelines](SECURITY.md) instead.

 ### I want to contribute to the code

--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,9 @@
+# Responsible Disclosure of Security Vulnerabilities
+
+- ⚠️ **Do not open public issues on GitHub to report security vulnerabilities.**
+- Contact us privately first, in a
+  [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure)
+  manner.
+- On IRC, send a private message to any voiced user on our Freenode channel,
+  `#thelounge`.
+- By email, send us your report at <mailto:security@thelounge.chat>.