49 lines
3.2 KiB
Markdown
49 lines
3.2 KiB
Markdown
# Security Policy
|
|
|
|
Glowing Fiesta is unreleased software still in early development, and so bugs and vulnerabilities in its code can be safely
|
|
disclosed publicly. The preference is to report security issues as
|
|
[GitHub issues](https://github.com/lburcusel/glowing-fiesta/issues/new?template=bug_report.md).
|
|
|
|
However, private vulnerability reporting is also enabled on the repository. If you find a security issue in Glowing Fiesta,
|
|
or in another package that you believe affects Glowing Fiesta, you may report it privately to the maintainers
|
|
using the [process outlined in GitHub documentation](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory).
|
|
|
|
Issues reported and accepted through the private reporting process will be disclosed publicly once they are resolved,
|
|
and given a security advisory identifier. The maintainers may include regular contributors in the disposition and resolution
|
|
process as their expertise requires. Researchers who report security issues privately will be credited in the advisory.
|
|
|
|
The maintainers reserve the right to reject reports that are not security issues, or that are not in the scope of Glowing Fiesta.
|
|
For issues that are determined to not be security issues, please report them as a
|
|
[GitHub issue](https://github.com/lburcusel/glowing-fiesta/issues/new?template=bug_report.md) instead. If you choose not to
|
|
re-report the issue as a generic issue, the maintainers may do so themselves.
|
|
|
|
Glowing Fiesta does not offer bug bounties for security issues at this time.
|
|
|
|
## Scope of Security Issues
|
|
|
|
Many security features of the web platform are not yet implemented in Glowing Fiesta. Security reports regarding
|
|
incomplete features may be redirected to regular issues. The following are examples of issues that are not in scope
|
|
at this time:
|
|
|
|
- Cross-site request forgery
|
|
- Cross-site scripting
|
|
- Content Security Policy violations
|
|
- Cross-origin iframe sandboxing
|
|
|
|
The maintainers reserve the right to modify this list as the project matures and as security issues are reported.
|
|
|
|
Significant portions of the browser depend on third party libraries. Examples include image decoding, video decoding,
|
|
internationalization, and 2D graphics. Security issues in these libraries should be reported to the maintainers of the
|
|
respective libraries. The maintainers of Glowing Fiesta will work with the maintainers of these libraries to resolve the issue.
|
|
If a security issue relates more to the integration of the library into Glowing Fiesta, it should be reported via the same
|
|
methods as other security issues.
|
|
|
|
## Responsible Disclosure
|
|
|
|
The maintainers of Glowing Fiesta will work with security researchers to resolve security issues in a timely manner. A default
|
|
120-day disclosure timeline is in place for all security issues, but this may be extended if the maintainers and the reporter
|
|
agree that more time is needed to resolve the issue. The maintainers will keep the reporter informed of progress and
|
|
resolution steps throughout the process.
|
|
|
|
In the case that a security issue is also reported to other package vendors or OSS projects, the maintainers will work
|
|
with the longest disclosure timeline to ensure that all parties have sufficient time to resolve the issue.
|