|
| 1 | +# Atomist Open Source Security Policies and Procedures |
| 2 | + |
| 3 | +This document outlines security procedures and general policies for the |
| 4 | +Atomist Open Source projects as found on https://github.com/atomist. |
| 5 | + |
| 6 | + * [Reporting a Vulnerability](#reporting-a-vulnerability) |
| 7 | + * [Disclosure Policy](#disclosure-policy) |
| 8 | + |
| 9 | +## Reporting a Vulnerability |
| 10 | + |
| 11 | +The Atomist OSS team and community take all security vulnerabilities |
| 12 | +seriously. Thank you for improving the security of our open source |
| 13 | +software. We appreciate your efforts and responsible disclosure and will |
| 14 | +make every effort to acknowledge your contributions. |
| 15 | + |
| 16 | +Report security vulnerabilities by emailing the Atomist security team at: |
| 17 | + |
| 18 | + |
| 19 | + |
| 20 | +The lead maintainer will acknowledge your email within 24 hours, and will |
| 21 | +send a more detailed response within 48 hours indicating the next steps in |
| 22 | +handling your report. After the initial reply to your report, the security |
| 23 | +team will endeavor to keep you informed of the progress towards a fix and |
| 24 | +full announcement, and may ask for additional information or guidance. |
| 25 | + |
| 26 | +Report security vulnerabilities in third-party modules to the person or |
| 27 | +team maintaining the module. |
| 28 | + |
| 29 | +## Disclosure Policy |
| 30 | + |
| 31 | +When the security team receives a security bug report, they will assign it |
| 32 | +to a primary handler. This person will coordinate the fix and release |
| 33 | +process, involving the following steps: |
| 34 | + |
| 35 | + * Confirm the problem and determine the affected versions. |
| 36 | + * Audit code to find any potential similar problems. |
| 37 | + * Prepare fixes for all releases still under maintenance. These fixes |
| 38 | + will be released as fast as possible to NPM. |
0 commit comments