-
-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
29 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| # Security Policy | ||
| This policy is relevant if you found potential vulnerabilities in an audit. | ||
| We consider something as a vulnerability if it... | ||
| 1. puts users or user data at risk | ||
| 2. enables third parties to gain control or access (e.g. [RATs](https://en.wikipedia.org/wiki/Remote_desktop_software#RAT), [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation), ...) | ||
| 3. abuses the system in an unintended way (e.g. crypto mining, proxy, ...) | ||
|
|
||
| ## Supported Versions | ||
|
|
||
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | >1.0.0 | :white_check_mark: | | ||
| | <1.0.0 | :x: | | ||
|
|
||
| ## Reporting a Vulnerability | ||
| We use [GitHub's system for reporting vulnerabilities](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory). | ||
| Click [**here to report an advisory**](https://github.com/homarr-labs/homarr/security/advisories/new). Our team will get notified and will get back to you within 1-6 business days. | ||
|
|
||
| As a general guideline; please provide as much detail as possible and provide reproduction steps / documentation regarding the re-creation. | ||
| You may also provide a fork with a fix for the vulnerability. | ||
| See https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html for guidelines regarding disclosure. | ||
|
|
||
| If you're unable / unwilling (or it's not safe) to disclose vulnerabilites via GitHub, please report them with the subject "Security advisory - CVEXXX" to our email [email protected]. | ||
| Please never disclose security vulnerabilits on your own publicly - we'd like to search for a dimplomatic solution that is also safe for our users. | ||
|
|
||
| In your initial contact with us, please provide details according to the [OWASP guidelines for initial reports](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#initial-report). | ||
|
|
||
| Thank you! | ||
| We're looking forward to your report |