From 2a25ebcb4996afd54998ba01c710812a77eb8c22 Mon Sep 17 00:00:00 2001 From: Rick Spurgeon Date: Tue, 14 Jan 2025 09:17:23 -0600 Subject: [PATCH] Doc: Add security doc --- SECURITY.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..1330956 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,40 @@ +# Security Policy + +## Reporting a Vulnerability + +At Kong, we take security issues very seriously. If you believe you have found a security +vulnerability in our project, we encourage you to disclose it responsibly. +Please report any potential security vulnerabilities to us by sending an +email to [vulnerability@konghq.com](mailto:vulnerability@konghq.com). + +## How to Report + +1. **Do not publicly disclose the vulnerability**: Please do not create a GitHub issue or post the vulnerability on + public forums. Instead, contact us directly at [vulnerability@konghq.com](mailto:vulnerability@konghq.com). +1. **Provide detailed information**: When reporting a vulnerability, please include as much information as possible + to help us understand and reproduce the issue. This may include: + - Description of the vulnerability + - Steps to reproduce the issue + - Potential impact + - Any relevant logs or screenshots + +## What to Expect + +- **Acknowledgment**: We will acknowledge receipt of your vulnerability report within 48 hours. +- **Investigation**: Our security team will investigate the report and will keep you informed of the progress. We aim to resolve critical vulnerabilities within 30 days of confirmation. +- **Disclosure**: We prefer coordinated disclosure and will work with you to schedule the disclosure of the vulnerability in a way that minimizes the risk to users. + +## Bug Bounty Program + +We encourage security researchers to participate in our bug bounty program as +outlined on the [Kong Vulnerability Disclosure](https://konghq.com/compliance/bug-bounty) page. +This program provides rewards for discovering and reporting security vulnerabilities in accordance with our disclosure guidelines. + +Thank you for helping to keep HTTPSnippet secure. + +For more information on our security policies and guidelines, +please visit the [Kong Vulnerability Disclosure](https://konghq.com/compliance/bug-bounty) page. + +## Contact + +For any questions or further assistance, please contact us at [vulnerability@konghq.com](mailto:vulnerability@konghq.com).