From 0c5532d8b51d9cd3fab9a1032173352d4db589d1 Mon Sep 17 00:00:00 2001 From: BlackDex Date: Sat, 26 Jun 2021 11:49:00 +0200 Subject: [PATCH] Adding a SECURITY.md --- .github/security-contact.gif | Bin 0 -> 2364 bytes .github/workflows/build.yml | 2 ++ SECURITY.md | 45 +++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 .github/security-contact.gif create mode 100644 SECURITY.md diff --git a/.github/security-contact.gif b/.github/security-contact.gif new file mode 100644 index 0000000000000000000000000000000000000000..0e6e449029d0a3b4716b202aba73d812e4cba18d GIT binary patch literal 2364 zcmV-C3B&eBNk%w1VL$;50QUd@000010RaL60s{jB1Ox;I1_lQQ2M7oV2?+@b3JMDg z3k?ko4-XFz5D*a&5fc*=6ciK{6%`g178e&67#J8C85tTH8XFrM92^`S9UUGX9v>ec zARr(iAt53nA|oRsBqSsyB_$>%CMPE+C@3f?DJd!{Dl021EG#T7EiEoCE-x=HFfcGN zF)=bSGBYzXG&D3dH8nOiHa9mnI5;>tIXOByIy*Z%JUl!-Jv}}?K0iM{KtMo2K|w-7 zLPJACL_|bIMMXwNMn^|SNJvOYNl8jdN=r*iOiWBoO-)WtPESuyP*6}&QBhJ-Qd3h? zR8&+}R#sP6S6EnBSy@?HT3TCMTU=aRU0q#XUS3~cUtnNhVPRonVq#-sV`OAxWo2b% zW@cw+XJ}|>X=!O{YHDk1Yiw+6ZEbCCZfSY zo}QndpP-Cc=sHmx_sj8}~tE;Q5tgNlAt*)-FudlDLu&}YQ zv9hwVv$M0bw6wLgwYIjlx3{;rxVX8wxw^W#ySux*yu7`=y}rJ_zrVl0z`()5!NS7A z!^6YG#KgtL#m2_Q$H&LW$jHgb$;!&g%gf8m%*@Tr&Cbrw&(F`$(9qG*(bCe=)6>(` z)YR40)z;S5*VotB*x1?G+1lFL+uPgR+}z#W-QM2b-{0Th;Naom;o{=ruz*=jZ3>=;-O`>FVn0>+9?6?CkCB?e6aG@9*#M@bK~R@$&NW^Yioc^z`-h_4fAm z_xJbs`1twx`TF|$`}_O+{QUj>{r>*`|Ns90000000000000000000000000000000 z0000000000A^8LV00000EC2ui06+l^000R80O<)FNU)&6g9sBUT*$DY!-o(fN}Ncs zqQ#3CGgd^Dir_6$*))ob2y4;ElNz&;;)T*+wo>d`%A6^&2p@uhG89=zsv}K{h>#Fm zgbbrKdfCjF2{e$`l{9A3Tq$~#rZ6Y~iV7@u2jw#WlSGoEhwO@(EjOEnG4o6yqA+Qo zrlH5q-A{t-z!i*1mmoO4Tgw^jv>*X{x0s-V3HOmx1OR^&6pK&^l>&eQKA0d(Wdh=+P#7y1 zSRp-kbkKqb?2#pc2`c~qN;Uvkmqu3f^umA-R#;$yU1=zQAw7ryU;zy@gaiu!X5!O0Kk$JDM0hIi0L4|zyFwgmugn4o|r^pN7C4jF(#k2DB&umx-c&;a9O2u)&v8GN-c z5E6_w@K`T&7R5`G#z`ZD39%^uB#a0mSTGkou>f#|6B6i@+Ezp!h1m zOP7wuPA?e{^ao-Dr7|Q!h+I+-l>#9l2SV%sz+Nh`g5rZf*+ffE2eH!Q1fz18L=O!t z(IX!zp$*i_xdUC%Zoi0RmmETW)L2j&9SuAXod!*4oI%nI>_nB>jfI4D^q3%6ISSKb z=RoBMQP391T(ZWz`isAts6|ST!5J(RcH_<4N6#mfikRKMKHDQw*y(x01`C#pa4CoGzoPomm*>U6iyI85FgYI z6iZDtu3DHXr-^$UT!{FLx9Fsfc4fHX(P!nWHAU;T7$;srXJ~+no#IPAD z#=2W207dAaLkB{E^YR~1_=Z7(liKkN!;}0 zEs!N#Uw?GIr8FsODRVW@oBP*CPmeIoO2{2Z#}^A|B@F>A2r?*UiR4(~W%+84(vZQD z%W;oO_R>;8ltDLvI01B=f=l`q!ixlbC>6JohUDmRJ|aor3dBK3EQ%n9o>}2U?`oM{ zgwZh{Y{nXi^V1doic}@E2m}g@5{M6oBMtrm02cJffX$RM8h!;rUI|%414wti4zMQ! z6yw7P>9MNoKtTd51J|;Sm=;oui5^1enF!(sn-(~M1|l;MJtW|WR1m-&Lhu0+VgP`f zfC32(5R$fdfrLCEAuR_%h6IEVgB8St7Z&hAn-XFP0QkTO9cY~yR&Ylh*o736gcKBo z(SRaIfJyWKg#`fMgk}i?2{H1PKwu$(BA8%)ox|cnE+Gd$b&nnen+q=tB!mxT!wDE< zh_D6%iVQ$O2n4WzUgXdL0|9_QYe2%&pec|Rgv|mi3J*Ev(&=a$q@@{l%p-u=mk#eMGl+d^kLaJDnYjQkY4m6Cd!bia->RBiI77y zNa4j;dO;as#DX2q5R5Q*5!PF5#;crCnoiTY)*T|F7q{3>R%7B*yb9#6as}!_lG+Pi zL{lJ2C5S;$DiL;Qm7%?$AW&oC23552vs7)COO`wQ;jz38u5gD-+~O)EAOJgW-~UYj literal 0 HcmV?d00001 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 48b89cc1..26fcb663 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,6 +15,7 @@ on: - "tools/**" - ".github/FUNDING.yml" - ".github/ISSUE_TEMPLATE/**" + - ".github/security-contact.gif" pull_request: # Ignore when there are only changes done too one of these paths paths-ignore: @@ -30,6 +31,7 @@ on: - "tools/**" - ".github/FUNDING.yml" - ".github/ISSUE_TEMPLATE/**" + - ".github/security-contact.gif" jobs: build: diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..95d87b78 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,45 @@ +Vaultwarden tries to prevent security issues but there could always slip something through. +If you believe you've found a security issue in our application, we encourage you to +notify us. We welcome working with you to resolve the issue promptly. Thanks in advance! + +# Disclosure Policy + +- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every + effort to quickly resolve the issue. +- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a + third-party. We may publicly disclose the issue before resolving it, if appropriate. +- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or + degradation of our service. Only interact with accounts you own or with explicit permission of the + account holder. + +# In-scope + +- Security issues in any current release of Vaultwarden. Source code is available at https://github.com/dani-garcia/vaultwarden. This includes the current `latest` release and `main / testing` release. + +# Exclusions + +The following bug classes are out-of scope: + +- Bugs that are already reported on Vaultwarden's issue tracker (https://github.com/dani-garcia/vaultwarden/issues) +- Bugs that are not part of Vaultwarden, like on the the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated +- Issues in an upstream software dependency (ex: Rust, or External Libraries) which are already reported to the upstream maintainer +- Attacks requiring physical access to a user's device +- Issues related to software or protocols not under Vaultwarden's control +- Vulnerabilities in outdated versions of Vaultwarden +- Missing security best practices that do not directly lead to a vulnerability (You may still report them as a normal issue) +- Issues that do not have any impact on the general public + +While researching, we'd like to ask you to refrain from: + +- Denial of service +- Spamming +- Social engineering (including phishing) of Vaultwarden developers, contributors or users + +Thank you for helping keep Vaultwarden and our users safe! + +# How to contact us + +- You can contact us on Matrix https://matrix.to/#/#vaultwarden:matrix.org (user: `@danig:matrix.org`) +- You can send an ![security-contact](/.github/security-contact.gif) to report a security issue. + - If you want to send an encrypted email you can use the following GPG key:
+ https://keyserver.ubuntu.com/pks/lookup?search=0xB9B7A108373276BF3C0406F9FC8A7D14C3CD543A&fingerprint=on&op=index