Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create SECURITY.md #2819

Merged
merged 1 commit into from
Sep 12, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
# GitHub Security Policy

Last Updated: [12-09-2023]

## Table of Contents

1. [Scope](#scope)
2. [Reporting Security Issues](#reporting-security-issues)
3. [Responsible Disclosure](#responsible-disclosure)
4. [Vulnerability Handling](#vulnerability-handling)
5. [Security Best Practices](#security-best-practices)
6. [Access Control](#access-control)
7. [Incident Response](#incident-response)
8. [Security Training and Awareness](#security-training-and-awareness)
9. [Review and Updates](#review-and-updates)

## 1. Scope

This GitHub Security Policy outlines security guidelines, best practices, and procedures for Zimmerman when using GitHub repositories, organizations, and related services. This policy applies to all employees, contractors, and collaborators working with GitHub resources associated with Zimmerman.

## 2. Reporting Security Issues

If you discover a security vulnerability or any potential security issue related to GitHub repositories or services used by Zimmerman, please report it immediately to our security team via email at [[email protected]]. You can also use our private GitHub repository for confidential reporting.

## 3. Responsible Disclosure

Zimmerman is committed to responsible disclosure. We appreciate the efforts of security researchers and community members who help us improve our security. If you report a security issue to us, we will:

- Acknowledge your report within [72 hours].
- Work with you to understand and validate the issue.
- Keep you informed about our progress and actions.
- Credit your responsible disclosure in our security advisories if desired.

## 4. Vulnerability Handling

### 4.1 Vulnerability Classification

We categorize vulnerabilities according to severity and impact. The following classifications are used:

- **Critical**: Vulnerabilities that pose a severe risk to our systems, data, or users.
- **High**: Vulnerabilities with a significant impact but less severe than critical vulnerabilities.
- **Medium**: Vulnerabilities that have a moderate impact and may require attention.
- **Low**: Vulnerabilities with minimal impact but still warranting attention.

### 4.2 Vulnerability Remediation

Our security team will assess reported vulnerabilities, and depending on their severity, take appropriate action, which may include:

- Patching or fixing the vulnerability.
- Communicating the issue to relevant stakeholders.
- Monitoring for potential exploitation.
- Publishing a security advisory.

## 5. Security Best Practices

To maintain the security of our GitHub repositories, we follow these best practices:

- Regularly update and patch software components.
- Implement strong access controls.
- Enable two-factor authentication (2FA) for all GitHub accounts.
- Scan code for vulnerabilities using static analysis tools.
- Encrypt sensitive data and communication.
- Educate all personnel about security awareness.

## 6. Access Control

Access to GitHub repositories and organizations is controlled through role-based access control (RBAC). Permissions are granted based on job responsibilities and the principle of least privilege. Only authorized personnel should have access to sensitive repositories and organization settings.

## 7. Incident Response

In the event of a security incident related to GitHub repositories, Zimmerman has an incident response plan in place. All incidents are documented, investigated, and reported to the relevant authorities if necessary. All affected parties will be notified promptly.

## 8. Security Training and Awareness

All employees, contractors, and collaborators are required to undergo security training and adhere to security policies. Security awareness programs are conducted periodically to ensure that all personnel are informed about current threats and best practices.

## 9. Review and Updates

This GitHub Security Policy will be reviewed periodically and updated as needed to adapt to changing security threats and organizational requirements. It is the responsibility of Zimmerman to ensure that all members are aware of and adhere to this policy.