Skip to content

Security: chaosblade-io/chaosblade

Security

SECURITY.md

ChaosBlade Security Policy

ChaosBlade is a growing community. We attach great importance to code security. We are very grateful to the users, security vulnerability researchers, etc. for reporting security vulnerabilities to us. All reported security vulnerabilities will be carefully assessed, addressed, and answered by us.

ChaosBlade 是一个正在成长的社区。 我们非常重视代码安全。 我们非常感谢用户、安全漏洞研究人员等向我们报告安全漏洞。 我们将仔细评估、解决和回答所有报告的安全漏洞。

Reporting a Vulnerability

To report a security problem in ChaosBlade, please contact the ChaosBlade Security Team: [email protected]. The team will help diagnose the severity of the issue and determine how to address the issue. Issues deemed to be non-critical will be filed as GitHub issues. Critical issues will receive immediate attention and be fixed as quickly as possible.

要报告 ChaosBlade 中的安全问题,请联系 ChaosBlade 安全团队:[email protected]。 该团队将帮助诊断问题的严重性并确定如何解决问题。 被视为非关键的问题将作为 GitHub 问题提交。 关键问题将立即得到关注并尽快得到解决。

Disclosure policy

For known public security vulnerabilities, we will disclose the disclosure as soon as possible after receiving the report. Vulnerabilities discovered for the first time will be disclosed in accordance with the following process:

  1. The received security vulnerability report shall be handed over to the security team for follow-up coordination and repair work.
  2. After the vulnerability is confirmed, we will create a draft Security Advisory on Github that lists the details of the vulnerability.
  3. Invite related personnel to discuss the fix.
  4. Fork the temporary private repository on Github, and collaborate to fix the vulnerability.
  5. After the fixed code is merged into all supported versions, the vulnerability will be publicly posted in the GitHub Advisory Database.

对于已知的公共安全漏洞,我们将在接到报告后第一时间披露。 首次发现的漏洞将按照以下流程进行披露:

  1. 将收到的安全漏洞报告交给安全团队进行后续协调和修复工作。
  2. 确认漏洞后,我们将在 Github 上创建一份安全公告草案,列出漏洞的详细信息。
  3. 邀请相关人员讨论修复。
  4. 在 Github 上 fork 临时私有仓库,并协作修复漏洞。
  5. 修复代码合并到所有支持版本后,漏洞将在GitHub咨询数据库中公开发布。

There aren’t any published security advisories