39 lines
1.8 KiB
Markdown
39 lines
1.8 KiB
Markdown
# Security Guidelines
|
|
|
|
Please contact us directly at **security@3rd-Eden.com** for any bug that might
|
|
impact the security of this project. Please prefix the subject of your email
|
|
with `[security]` in lowercase and square brackets. Our email filters will
|
|
automatically prevent these messages from being moved to our spam box.
|
|
|
|
You will receive an acknowledgement of your report within **24 hours**.
|
|
|
|
All emails that do not include security vulnerabilities will be removed and
|
|
blocked instantly.
|
|
|
|
## Exceptions
|
|
|
|
If you do not receive an acknowledgement within the said time frame please give
|
|
us the benefit of the doubt as it's possible that we haven't seen it yet. In
|
|
this case please send us a message **without details** using one of the
|
|
following methods:
|
|
|
|
- Contact the lead developers of this project on their personal e-mails. You can
|
|
find the e-mails in the git logs, for example using the following command:
|
|
`git --no-pager show -s --format='%an <%ae>' <gitsha>` where `<gitsha>` is the
|
|
SHA1 of their latest commit in the project.
|
|
- Create a GitHub issue stating contact details and the severity of the issue.
|
|
|
|
Once we have acknowledged receipt of your report and confirmed the bug ourselves
|
|
we will work with you to fix the vulnerability and publicly acknowledge your
|
|
responsible disclosure, if you wish. In addition to that we will create and
|
|
publish a security advisory to
|
|
[GitHub Security Advisories](https://github.com/websockets/ws/security/advisories?state=published).
|
|
|
|
## History
|
|
|
|
- 04 Jan 2016:
|
|
[Buffer vulnerability](https://github.com/websockets/ws/releases/tag/1.0.1)
|
|
- 08 Nov 2017:
|
|
[DoS vulnerability](https://github.com/websockets/ws/releases/tag/3.3.1)
|
|
- 25 May 2021:
|
|
[ReDoS in `Sec-Websocket-Protocol` header](https://github.com/websockets/ws/releases/tag/7.4.6)
|