diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..c11ac555 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,41 @@ +# Security Policy + +## Supported Versions + +We actively maintain and patch the following versions of this project. Please ensure you are using one of these supported versions before reporting security issues. + +| Version | Supported | +| ------- | ------------------ | +| >= 0.18.0 | :white_check_mark: | +| <= 0.17.0 | :x: | + +## Reporting a Vulnerability + +If you discover a security vulnerability, please follow these steps: + +1. **Do not disclose publicly.** + To protect users, please avoid discussing the vulnerability in public forums, issues, or pull requests. + +2. **Report privately.** + Email to **[fredrik@scaleoutsystems.com](mailto:fredrik@scaleoutsystems.com)** with the following information: + - A clear description of the vulnerability. + - Steps to reproduce the issue (if applicable). + - Any potential impact you foresee. + - Any patches or workarounds you've already implemented (if applicable). + +3. **Confirmation.** + We will confirm the report a.s.a.p by assessing the risk degree of the vulnerability and add it as an internal issue. We will email you about this process and let you know when the issue + has been addressed and in which release. + + +5. **Resolution.** + Once the vulnerability is resolved, we will issue an advisory and release a patch if required. We will credit the reporter unless anonymity is requested. + +## Security Best Practices + +While using this project, we recommend: +- Keeping the project up-to-date (which in turn will keep dependencies up-to-date). If you install from source, don't forget to reinstall the project after a pull. +- Reviewing [our documentation](https://docs.scaleoutsystems.com/en/stable/) for secure configuration tips. +- Reporting issues responsibly. + +We thank you for helping us keep this project safe for the community!