public/glowing-fiesta
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
glowing-fiesta/SECURITY.md

3.2 KiB
Raw Blame History

Security Policy

Glowing Fiesta is unreleased software still in early development, and so bugs and vulnerabilities in its code can be safely disclosed publicly. The preference is to report security issues as GitHub issues.

However, private vulnerability reporting is also enabled on the repository. If you find a security issue in Glowing Fiesta, or in another package that you believe affects Glowing Fiesta, you may report it privately to the maintainers using the process outlined in GitHub documentation.

Issues reported and accepted through the private reporting process will be disclosed publicly once they are resolved, and given a security advisory identifier. The maintainers may include regular contributors in the disposition and resolution process as their expertise requires. Researchers who report security issues privately will be credited in the advisory.

The maintainers reserve the right to reject reports that are not security issues, or that are not in the scope of Glowing Fiesta. For issues that are determined to not be security issues, please report them as a GitHub issue instead. If you choose not to re-report the issue as a generic issue, the maintainers may do so themselves.

Glowing Fiesta does not offer bug bounties for security issues at this time.

Scope of Security Issues

Many security features of the web platform are not yet implemented in Glowing Fiesta. Security reports regarding incomplete features may be redirected to regular issues. The following are examples of issues that are not in scope at this time:

  • Cross-site request forgery
  • Cross-site scripting
  • Content Security Policy violations
  • Cross-origin iframe sandboxing

The maintainers reserve the right to modify this list as the project matures and as security issues are reported.

Significant portions of the browser depend on third party libraries. Examples include image decoding, video decoding, internationalization, and 2D graphics. Security issues in these libraries should be reported to the maintainers of the respective libraries. The maintainers of Glowing Fiesta will work with the maintainers of these libraries to resolve the issue. If a security issue relates more to the integration of the library into Glowing Fiesta, it should be reported via the same methods as other security issues.

Responsible Disclosure

The maintainers of Glowing Fiesta will work with security researchers to resolve security issues in a timely manner. A default 120-day disclosure timeline is in place for all security issues, but this may be extended if the maintainers and the reporter agree that more time is needed to resolve the issue. The maintainers will keep the reporter informed of progress and resolution steps throughout the process.

In the case that a security issue is also reported to other package vendors or OSS projects, the maintainers will work with the longest disclosure timeline to ensure that all parties have sufficient time to resolve the issue.