Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create SECURITY.md #275

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Create SECURITY.md #275

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Security Notice

## What?

This is the security notice for all GDS (Government Digital Service) repositories. The notice explains how vulnerabilities should be reported to GDS. At GDS there are cyber security and information assurance teams, as well as security-conscious people within the programmes, that assess and triage all reported vulnerabilities.

## Reporting a Vulnerability

GDS is an advocate of responsible vulnerability disclosure. If you’ve found a vulnerability, we would like to know so we can fix it.

Send details to [[email protected]], including:
- the website, page or repository where the vulnerability can be observed
- a brief description of the vulnerability
- optionally the type of vulnerability and any related [OWASP category]
- non-destructive exploitation details

GDS use ZenDesk as a ticketing system, so you may get a reply or response from that platform.

## Scope
The following are **not** in scope:
- volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
- reports indicating that our services do not fully align with “best practice”, for example missing security headers

If you are not sure, you can still reach out via email; [[email protected]].

## Bug bounty
Unfortunately, GDS doesn't offer a paid bug bounty programme. GDS will make efforts to show appreciation to people who take the time and effort to disclose vulnerabilities responsibly.

# Code of Conduct

GDS have a contributors code of conduct, which you can find here: [CODE_OF_CONDUCT.md]

---

#### Further reading and inspiration about responsible disclosure and `SECURITY.md`
- <https://mojdigital.blog.gov.uk/vulnerability-disclosure-policy/>
- <https://www.ncsc.gov.uk/information/vulnerability-reporting>
- <https://github.com/Trewaters/security-README>

[[email protected]]: mailto:[email protected]
[CODE_OF_CONDUCT.md]: https://github.com/alphagov/.github/blob/master/CODE_OF_CONDUCT.md
[OWASP category]: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project