aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel García <[email protected]>2021-06-26 13:36:05 +0200
committerDaniel García <[email protected]>2021-06-26 13:36:05 +0200
commitb67eacdfded2ce7b7b6b8cc5ab03df27c128dd92 (patch)
tree3d80d31e4e380082d9ab6d79a0dbc5469a253bc1
parent0dcea757641b4f914960704066f2421622b69285 (diff)
parent0c5532d8b51d9cd3fab9a1032173352d4db589d1 (diff)
downloadvaultwarden-b67eacdfded2ce7b7b6b8cc5ab03df27c128dd92.tar.gz
vaultwarden-b67eacdfded2ce7b7b6b8cc5ab03df27c128dd92.zip
Merge branch 'security-md' of https://github.com/BlackDex/vaultwarden into BlackDex-security-md
-rw-r--r--.github/security-contact.gifbin0 -> 2364 bytes
-rw-r--r--.github/workflows/build.yml2
-rw-r--r--SECURITY.md45
3 files changed, 47 insertions, 0 deletions
diff --git a/.github/security-contact.gif b/.github/security-contact.gif
new file mode 100644
index 00000000..0e6e4490
--- /dev/null
+++ b/.github/security-contact.gif
Binary files differ
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 48b89cc1..26fcb663 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,6 +15,7 @@ on:
- "tools/**"
- ".github/FUNDING.yml"
- ".github/ISSUE_TEMPLATE/**"
+ - ".github/security-contact.gif"
pull_request:
# Ignore when there are only changes done too one of these paths
paths-ignore:
@@ -30,6 +31,7 @@ on:
- "tools/**"
- ".github/FUNDING.yml"
- ".github/ISSUE_TEMPLATE/**"
+ - ".github/security-contact.gif"
jobs:
build:
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..95d87b78
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,45 @@
+Vaultwarden tries to prevent security issues but there could always slip something through.
+If you believe you've found a security issue in our application, we encourage you to
+notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!
+
+# Disclosure Policy
+
+- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every
+ effort to quickly resolve the issue.
+- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a
+ third-party. We may publicly disclose the issue before resolving it, if appropriate.
+- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or
+ degradation of our service. Only interact with accounts you own or with explicit permission of the
+ account holder.
+
+# In-scope
+
+- Security issues in any current release of Vaultwarden. Source code is available at https://github.com/dani-garcia/vaultwarden. This includes the current `latest` release and `main / testing` release.
+
+# Exclusions
+
+The following bug classes are out-of scope:
+
+- Bugs that are already reported on Vaultwarden's issue tracker (https://github.com/dani-garcia/vaultwarden/issues)
+- Bugs that are not part of Vaultwarden, like on the the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
+- Issues in an upstream software dependency (ex: Rust, or External Libraries) which are already reported to the upstream maintainer
+- Attacks requiring physical access to a user's device
+- Issues related to software or protocols not under Vaultwarden's control
+- Vulnerabilities in outdated versions of Vaultwarden
+- Missing security best practices that do not directly lead to a vulnerability (You may still report them as a normal issue)
+- Issues that do not have any impact on the general public
+
+While researching, we'd like to ask you to refrain from:
+
+- Denial of service
+- Spamming
+- Social engineering (including phishing) of Vaultwarden developers, contributors or users
+
+Thank you for helping keep Vaultwarden and our users safe!
+
+# How to contact us
+
+- You can contact us on Matrix https://matrix.to/#/#vaultwarden:matrix.org (user: `@danig:matrix.org`)
+- You can send an ![security-contact](/.github/security-contact.gif) to report a security issue.
+ - If you want to send an encrypted email you can use the following GPG key:<br>
+ https://keyserver.ubuntu.com/pks/lookup?search=0xB9B7A108373276BF3C0406F9FC8A7D14C3CD543A&fingerprint=on&op=index