security: Add comprehensive security policy and vulnerability reporting process
This commit is contained in:
309
.github/SECURITY_REPORTING.md
vendored
Normal file
309
.github/SECURITY_REPORTING.md
vendored
Normal file
@@ -0,0 +1,309 @@
|
||||
# Security Vulnerability Reporting
|
||||
|
||||
This file explains how to report security vulnerabilities to the Claude How To project.
|
||||
|
||||
## Quick Links
|
||||
|
||||
- **Private Reporting**: https://github.com/luongnv89/claude-howto/security/advisories
|
||||
- **Security Policy**: [SECURITY.md](../SECURITY.md)
|
||||
- **Report Template**: See below
|
||||
|
||||
## Report a Vulnerability
|
||||
|
||||
### Option 1: GitHub Private Vulnerability Report (RECOMMENDED)
|
||||
|
||||
This is the preferred method for reporting security vulnerabilities.
|
||||
|
||||
**Steps:**
|
||||
1. Go to: https://github.com/luongnv89/claude-howto/security/advisories
|
||||
2. Click "Report a vulnerability"
|
||||
3. Fill in the details (use template below)
|
||||
4. Submit
|
||||
|
||||
**Advantages:**
|
||||
- Keeps vulnerability private until fix is released
|
||||
- Automatic notifications to maintainers
|
||||
- Built-in collaboration features
|
||||
- Integrated with GitHub security tools
|
||||
|
||||
### Option 2: GitHub Security Alert (For Dependencies)
|
||||
|
||||
If you discover a vulnerability in a dependency:
|
||||
|
||||
1. Go to: https://github.com/luongnv89/claude-howto/security/dependabot/alerts
|
||||
2. Review the alert
|
||||
3. Create a pull request with the fix
|
||||
4. Tag with `security` label
|
||||
|
||||
### Option 3: Private Email (If GitHub unavailable)
|
||||
|
||||
If you cannot use GitHub's reporting system:
|
||||
|
||||
**Coming soon**: Security contact email will be added here
|
||||
|
||||
For now, use GitHub's private vulnerability reporting as described above.
|
||||
|
||||
## Vulnerability Report Template
|
||||
|
||||
Use this template when reporting a vulnerability:
|
||||
|
||||
```
|
||||
**Title**: [Brief description of vulnerability]
|
||||
|
||||
**Severity**: [Critical/High/Medium/Low]
|
||||
Estimated CVSS Score: [0-10]
|
||||
|
||||
**Type**: [Code/Documentation/Dependency/Configuration]
|
||||
|
||||
**Affected Component**:
|
||||
- File: [path/to/file.py]
|
||||
- Section: [Section name if documentation]
|
||||
- Version: [latest/specific version]
|
||||
|
||||
**Description**:
|
||||
[Clear explanation of what the vulnerability is]
|
||||
|
||||
**Potential Impact**:
|
||||
[What could an attacker do with this vulnerability?]
|
||||
[Who could be affected?]
|
||||
|
||||
**Steps to Reproduce**:
|
||||
1. [First step]
|
||||
2. [Second step]
|
||||
3. [Third step]
|
||||
[Expected result vs actual result]
|
||||
|
||||
**Proof of Concept** (if available):
|
||||
[Code or steps to demonstrate the vulnerability]
|
||||
|
||||
**Suggested Fix**:
|
||||
[Your recommended solution, if you have one]
|
||||
|
||||
**Additional Context**:
|
||||
[Any other relevant information]
|
||||
|
||||
**Your Information**:
|
||||
- Name: [Your name or anonymous]
|
||||
- Email: [Your email]
|
||||
- Credit: [How you'd like to be credited, if at all]
|
||||
```
|
||||
|
||||
## What Happens After You Report
|
||||
|
||||
### Timeline
|
||||
|
||||
1. **Immediate (< 1 hour)**
|
||||
- Automatic notification sent to project maintainers
|
||||
|
||||
2. **Within 24 hours**
|
||||
- Initial assessment of the report
|
||||
- Confirmation that we received it
|
||||
- Preliminary severity assessment
|
||||
|
||||
3. **Within 48 hours**
|
||||
- Detailed response from security team
|
||||
- Questions for clarification (if needed)
|
||||
- Timeline for fix (if vulnerability confirmed)
|
||||
|
||||
4. **Within 1-7 days** (depends on severity)
|
||||
- Fix developed and tested
|
||||
- Security advisory prepared
|
||||
- Fix released and public advisory published
|
||||
|
||||
### Communication
|
||||
|
||||
We will keep you informed through:
|
||||
- GitHub private vulnerability discussion
|
||||
- Email (if provided)
|
||||
- Updates in the discussion thread
|
||||
|
||||
You can:
|
||||
- Ask clarifying questions
|
||||
- Provide additional information
|
||||
- Suggest improvements to the fix
|
||||
- Request timeline adjustments
|
||||
|
||||
### Disclosure Timeline
|
||||
|
||||
**Critical Issues (CVSS 9.0-10.0)**
|
||||
- Fix: Released immediately (within 24 hours)
|
||||
- Disclosure: Public advisory issued same day
|
||||
- Notice: 24 hours advance notice to reporter
|
||||
|
||||
**High Issues (CVSS 7.0-8.9)**
|
||||
- Fix: Released within 48-72 hours
|
||||
- Disclosure: Public advisory on release
|
||||
- Notice: 5 days advance notice to reporter
|
||||
|
||||
**Medium Issues (CVSS 4.0-6.9)**
|
||||
- Fix: Included in next regular update
|
||||
- Disclosure: Public advisory on release
|
||||
- Notice: Coordinated timing
|
||||
|
||||
**Low Issues (CVSS 0.1-3.9)**
|
||||
- Fix: Included in next regular update
|
||||
- Disclosure: Advisory on release
|
||||
- Notice: Same day as release
|
||||
|
||||
## Security Vulnerability Criteria
|
||||
|
||||
### In Scope
|
||||
|
||||
We accept reports on:
|
||||
|
||||
- **Code Vulnerabilities**
|
||||
- Injection attacks (command, SQL, etc.)
|
||||
- Cross-site scripting (XSS) in examples
|
||||
- Authentication/authorization flaws
|
||||
- Path traversal vulnerabilities
|
||||
- Cryptography issues
|
||||
|
||||
- **Documentation Security**
|
||||
- Exposed secrets or credentials
|
||||
- Insecure code patterns
|
||||
- Security anti-patterns
|
||||
- Misleading security claims
|
||||
|
||||
- **Dependency Vulnerabilities**
|
||||
- Known CVEs in dependencies
|
||||
- Supply chain attacks
|
||||
- Malicious dependencies
|
||||
|
||||
- **Configuration Issues**
|
||||
- Insecure defaults
|
||||
- Missing security headers
|
||||
- Credential exposure in examples
|
||||
|
||||
### Out of Scope
|
||||
|
||||
We do NOT accept reports on:
|
||||
|
||||
- Vulnerabilities in Claude Code itself (contact Anthropic)
|
||||
- Vulnerabilities in external services
|
||||
- Theoretical vulnerabilities without proof
|
||||
- Issues already reported to upstream projects
|
||||
- Social engineering or phishing
|
||||
- User education/training issues
|
||||
|
||||
## Responsible Disclosure Guidelines
|
||||
|
||||
### Do's ✅
|
||||
|
||||
- **Report privately** before public disclosure
|
||||
- **Be specific** with file paths and line numbers
|
||||
- **Provide proof** of the vulnerability
|
||||
- **Give us time** to fix (coordinated disclosure)
|
||||
- **Update** if you discover more details
|
||||
- **Be professional** in all communications
|
||||
- **Respect confidentiality** until we publish
|
||||
|
||||
### Don'ts ❌
|
||||
|
||||
- **Don't publicly disclose** before we fix
|
||||
- **Don't exploit** the vulnerability beyond testing
|
||||
- **Don't modify** other users' data
|
||||
- **Don't demand** payment or favors
|
||||
- **Don't share** the vulnerability with others
|
||||
- **Don't use** it in any harmful way
|
||||
- **Don't spam** with non-security related issues
|
||||
|
||||
## Coordinated Disclosure
|
||||
|
||||
We practice responsible disclosure:
|
||||
|
||||
1. **Private Report**: You report to us privately
|
||||
2. **Our Assessment**: We evaluate and assess severity
|
||||
3. **Fix Development**: We develop and test a fix
|
||||
4. **Advance Notice**: We give you advance notice before public disclosure
|
||||
5. **Public Release**: We release fix and advisory together
|
||||
6. **Your Credit**: We acknowledge your contribution (if desired)
|
||||
|
||||
**Timeline varies based on severity** (see section above)
|
||||
|
||||
## After the Fix is Released
|
||||
|
||||
### Public Advisory
|
||||
|
||||
A public security advisory will include:
|
||||
- Description of the vulnerability
|
||||
- Affected versions
|
||||
- Severity (CVSS score)
|
||||
- Steps to remediate
|
||||
- Link to the fix
|
||||
- Credit to reporter (with permission)
|
||||
|
||||
### Your Recognition
|
||||
|
||||
If you wish to be credited:
|
||||
- Your name/handle in the advisory
|
||||
- Link to your profile/website
|
||||
- Mention in release notes
|
||||
- Addition to hall of fame (if created)
|
||||
|
||||
### No Compensation
|
||||
|
||||
Please note:
|
||||
- This is a volunteer-run open-source project
|
||||
- We cannot offer financial rewards
|
||||
- We do offer recognition and credit
|
||||
- Your contribution helps the community
|
||||
|
||||
## Security Research
|
||||
|
||||
If you're conducting security research:
|
||||
|
||||
1. **Get Permission**: Contact maintainers first
|
||||
2. **Define Scope**: Agree on what you'll test
|
||||
3. **Report Findings**: Use this process
|
||||
4. **Respect Timeline**: Allow time for fixes
|
||||
5. **Publish Responsibly**: Coordinate with us
|
||||
|
||||
## Questions?
|
||||
|
||||
For questions about this process:
|
||||
|
||||
1. Check [SECURITY.md](../SECURITY.md) for detailed policy
|
||||
2. Look at [FAQ](#faq) section below
|
||||
3. Open a discussion with `[SECURITY]` label
|
||||
4. Use private vulnerability reporting for sensitive questions
|
||||
|
||||
## FAQ
|
||||
|
||||
**Q: Will my report be kept confidential?**
|
||||
A: Yes, until the fix is released. We only share details with those working on the fix.
|
||||
|
||||
**Q: How long do I need to wait before public disclosure?**
|
||||
A: We follow responsible disclosure timelines based on severity (24 hours to 7 days). You can agree to extend this if needed.
|
||||
|
||||
**Q: Will I get credit?**
|
||||
A: Yes, in the security advisory and release notes (unless you prefer anonymity).
|
||||
|
||||
**Q: What if the vulnerability is minor?**
|
||||
A: All legitimate security issues are taken seriously. Even minor fixes will be acknowledged.
|
||||
|
||||
**Q: Can I report vulnerabilities in documentation only?**
|
||||
A: Yes! Documentation security is important too. Examples with insecure patterns are in scope.
|
||||
|
||||
**Q: What if I'm not sure if something is a security issue?**
|
||||
A: Report it anyway! If it's not a security issue, we'll let you know. False positives are fine.
|
||||
|
||||
**Q: Can I publicly discuss the vulnerability after reporting?**
|
||||
A: No, please keep it private until we publish the advisory. Premature disclosure could put users at risk.
|
||||
|
||||
**Q: How do I know you received my report?**
|
||||
A: GitHub will send an automatic notification, and we'll follow up within 24 hours.
|
||||
|
||||
**Q: What if I don't hear back?**
|
||||
A: Check GitHub security advisories page. If you still don't see a response, you can follow up with a comment on the private report.
|
||||
|
||||
## Resources
|
||||
|
||||
- [SECURITY.md](../SECURITY.md) - Full security policy
|
||||
- [CONTRIBUTING.md](../CONTRIBUTING.md) - Contributing guidelines
|
||||
- [CODE_OF_CONDUCT.md](../CODE_OF_CONDUCT.md) - Community standards
|
||||
- [OWASP Guide](https://owasp.org/www-project-responsible-disclosure/) - Responsible disclosure best practices
|
||||
- [Coordinated Vulnerability Disclosure](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html)
|
||||
|
||||
---
|
||||
|
||||
Thank you for helping keep this project secure! 🔒
|
||||
Reference in New Issue
Block a user