Update SECURITY.md
This commit is contained in:
parent
13aab97d5b
commit
4c75a30d47
48
SECURITY.md
48
SECURITY.md
|
@ -1,5 +1,47 @@
|
||||||
# Security Policy
|
# OpenPanel Security policy
|
||||||
|
|
||||||
## Reporting a Vulnerability
|
Welcome and thanks for taking interest in OpenPanel!
|
||||||
|
|
||||||
Please report security issues to security@openpanel.co
|
We are mostly interested in reports by actual OpenPanel users but all high quality contributions are welcome.
|
||||||
|
|
||||||
|
If you believe that you have have discovered a vulnerability in OpenPanel, please let our development team know by sending an email to <info@openpanel.co>
|
||||||
|
|
||||||
|
We ask you to include a detailed description of the vulnerability, a list of services involved (e.g. nginx, opencli) and the versions which you've tested, full steps to reproduce the vulnerability, and include your findings and expected results.
|
||||||
|
|
||||||
|
Please do not open any public issue on Github or any other social media before the report has been published and a fix has been released.
|
||||||
|
|
||||||
|
With that, good luck hacking us ;)
|
||||||
|
|
||||||
|
## Supported versions
|
||||||
|
|
||||||
|
| Version | Supported |
|
||||||
|
| ------- | ------------------ |
|
||||||
|
| Latest | :white_check_mark: |
|
||||||
|
|
||||||
|
## Qualifying Vulnerabilities
|
||||||
|
|
||||||
|
### Vulnerabilities we really care about
|
||||||
|
|
||||||
|
- Remote command execution
|
||||||
|
- Code/SQL Injection
|
||||||
|
- Authentication bypass
|
||||||
|
- Privilege Escalation
|
||||||
|
- Cross-site scripting (XSS)
|
||||||
|
- Performing limited admin actions without authorization
|
||||||
|
- CSRF
|
||||||
|
|
||||||
|
### Vulnerabilities we accept
|
||||||
|
|
||||||
|
- Open redirects
|
||||||
|
- Password brute-forcing that circumvents rate limiting
|
||||||
|
|
||||||
|
## Non-Qualifying Vulnerabilities
|
||||||
|
|
||||||
|
- Theoretical attacks without proof of exploitability
|
||||||
|
- Attacks that are the result of a third party library should be reported to the library maintainers
|
||||||
|
- Social engineering
|
||||||
|
- Reflected file download
|
||||||
|
- Physical attacks
|
||||||
|
- Weak SSL/TLS/SSH algorithms or protocols
|
||||||
|
- Attacks involving physical access to a user’s device, or involving a device or network that’s already seriously compromised (eg man-in-the-middle).
|
||||||
|
- The user attacks themselves
|
||||||
|
|
Loading…
Reference in a new issue